Using a master key and principal name to derive password for principal

Coe Ts7 tm3y at
Mon Oct 14 23:46:25 EDT 2019

I'm look for a simple but effective High Available solution for kerberos.
In my deployment, I will use kerberos PKINIT. So there's a chance that the kerberos doesn't store principal list, just generate ticket according the name in PKI certificate.
And I try to go further and make kerberos not to store principal password, so that the kerberos is completely stateless and fully trusts PKI.
To achieve that,  I want to use some crypto & hashing mechanisms to make all kerberos instances could calculate the same password for each principal through a shared master key and principal name.

I'm wondering is this way secure cryptographically? If so, is there some source code for reference to make this algorithm implemented?
Thanks in advance!


More information about the krbdev mailing list