Obtaining krbtgt key from preauthentication plugin

Alejandro Perez Mendez alex at um.es
Tue Aug 21 04:11:56 EDT 2012

On 21/08/12 04:09, Greg Hudson wrote:
> On 08/20/2012 09:12 AM, Alejandro Perez Mendez wrote:
>>       if ((errcode = krb5_dbe_find_enctype(kdc_context, request->server,
>>                                            -1, /* ignore keytype */
>>                                            -1, /* Ignore salttype */
>>                                            0,  /* Get highest kvno */
>>                                            &server_key))) {
> Doesn't this give a warning?  request->server is a krb5_principal, and
> the second argument to krb5_db_find_enctype is a krb5_db_entry *.

Oh, sorry, it does. I don't know how I missed that...

> kdcpreauth plugins have access to the client DB entry via the
> client_entry callback, but not currently to the server entry.  The sever
> entry isn't necessarily the TGT anyway, and in some common scenarios
> (such as password changes) it is not.

OK, I see. Anyway, as I know the name of the server (krbtgt), isn't it 
possible to access to that specific DB entry to obtain the keyblock?

> TGT keys can also be rolled over, in which case "get highest kvno" might
> get a higher version of the TGT key than the one used to encrypt the
> blob sent to the client.  It would be best to use the kvno of the
> encrypted blob you're decrypting (and make sure to set that kvno when
> it's encrypted).

Yeah, that's true. That's why I said "something similar to...". Anyway, 
that would be the call for encrypting a new blob, not for it's decryption.


More information about the krbdev mailing list