more false positive "keytab entry valid" with kvno -k
Mark Pröhl
mark at mproehl.net
Fri Feb 22 08:05:45 EST 2013
Hi,
I'm testing the correctness of keytab entries with the following
command: kvno -k /path/to/krb5.keytab test_principal at EXAMPLE.COM
In most cases the output ("keytab entry valid or "keytab entry invalid")
is now reliable, after the following issue has been fixed:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7051&user=guest&pass=guest.
However, there are more cases that lead to false positive "keytab entry
valid" messages.
Example 1 (Wrong key version number): if test_principal's entry has been
created with a wrong KVNO than kvno -k still reports "keytab entry valid".
Example 2 (Wrong key): consider a defective keytab file with an entry
for test_principal at EXAMPLE.COM that has an incorrect key. If there is
another entry for a differently named principal in the same file and if
that entry contains test_principal's correct key than kvno -k will
report "keytab entry valid".
I am aware that "-k" is only documented in the output of kvno --help and
not in the manual pages. Here's a link to an RT-issue that proposes a
fix to the kvno manual page:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7476&user=guest&pass=guest
Regards,
Mark
--
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de
More information about the krbdev
mailing list