Using a master key and principal name to derive password for principal
Roland C. Dowdeswell
elric at imrryr.org
Wed Oct 16 04:04:07 EDT 2019
On Wed, Oct 16, 2019 at 02:45:19AM +0000, Coe Ts7 wrote:
>
> > get the impression that you are interested in using PKI for clients
>
> > who will use PKINIT to obtain a TGT. In this case, is there any
> > reason that you need to know the client's key or password? If you
> > never need to know a key or a password, then just randomise the
> > key and forget it on the creation of the client principal.
> Thanks for the reply.
> The reason why I need the keys to be predictable is that I don't want
> kerberos to store anything,
I understand that.
What I am asking is: do you actually need the principals to have
keys that you can predict? What are you going to use the keys for?
If you are simply going to have PKINIT clients, then you do not
need to _know_ the keys. And if you do not need to know the keys,
then it is sufficient to randomise them. You will still want to
have an entry in the Kerberos DB in most cases because it may contain
ancilliary data such as the existence of the name.
When I say, "What are you going to use the keys for?", the question
really is made up of two parts:
1. what AS_REQs do you expect to issue and serve for the
principal in question? and
2. what TGS_REQs do you expect to issue and serve for the
principal in question?
--
Roland C. Dowdeswell http://Imrryr.ORG/~elric/
More information about the krbdev
mailing list