randkey versus a big random password

Chris Hecker checker at d6.com
Mon Nov 27 15:24:06 EST 2017

The version of kadm5 I'm using doesn't have the kadm5_get_principal_keys
function, nor does it seem to ever return keys to the kadm5 client (which
seems to have been the thing before
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8364). I plan to upgrade
at some point soon, but is there any advantage to trying to get a rankey
generated key from the KDC back to my client app over just making a big
random password and sending it over, and then using it to generate the key
locally?  Seems like fewer round trips anyway? Is there any optimal length
for the password (the enctype will be AES256)?


More information about the krbdev mailing list