Obtaining krbtgt key from preauthentication plugin
Alejandro Perez Mendez
alex at um.es
Tue Aug 21 04:11:56 EDT 2012
On 21/08/12 04:09, Greg Hudson wrote:
> On 08/20/2012 09:12 AM, Alejandro Perez Mendez wrote:
>> if ((errcode = krb5_dbe_find_enctype(kdc_context, request->server,
>> -1, /* ignore keytype */
>> -1, /* Ignore salttype */
>> 0, /* Get highest kvno */
>> &server_key))) {
> Doesn't this give a warning? request->server is a krb5_principal, and
> the second argument to krb5_db_find_enctype is a krb5_db_entry *.
Oh, sorry, it does. I don't know how I missed that...
> kdcpreauth plugins have access to the client DB entry via the
> client_entry callback, but not currently to the server entry. The sever
> entry isn't necessarily the TGT anyway, and in some common scenarios
> (such as password changes) it is not.
OK, I see. Anyway, as I know the name of the server (krbtgt), isn't it
possible to access to that specific DB entry to obtain the keyblock?
> TGT keys can also be rolled over, in which case "get highest kvno" might
> get a higher version of the TGT key than the one used to encrypt the
> blob sent to the client. It would be best to use the kvno of the
> encrypted blob you're decrypting (and make sure to set that kvno when
> it's encrypted).
>
Yeah, that's true. That's why I said "something similar to...". Anyway,
that would be the call for encrypting a new blob, not for it's decryption.
Regards,
Alejandro
More information about the krbdev
mailing list