Multiple ETYPE-INFO-ENTRY with same etype but different salts

Greg Hudson ghudson at MIT.EDU
Mon Jul 18 10:15:35 EDT 2011

On Mon, 2011-07-18 at 10:05 -0400, Weijun Wang wrote:
> I guess the keys are stored in a db file as a array. Isn't there a way 
> to strip some kinds of keys from this file to make a new db? Or, its 
> integrity protection is so nice that we cannot touch it at all?

The KDB is actually pretty malleable, and can be modified with scripts
using dump and load.  The keys themselves are encrypted in the master
key, but that shouldn't be a problem since a script can just treat those
as opaque values.

So, if the AFS3-salted entries aren't needed, they could be removed,
which I think would cause the default salt to be used (which would then
work against the des-cbc-md5:normal key data entries).

More information about the krbdev mailing list