Using a master key and principal name to derive password for principal
Ts7 Coe
tm3y at hotmail.com
Wed Oct 16 06:33:29 EDT 2019
> Then you don't actually need keys at all. If no one is going to
make an AS_REQ or TGS_REQ with the principal as a target, then you
do not need keys.
The principals will authenticate with each other, so any principal could
be a target of TGS_REQ. So I thinks there still must be keys for every
principal?
> Try to not set entry.key_data and entry.n_key_data (where entry is
krb5_db_entry structure) fields. We do this in FreeIPA for principals
that have no key associated and it works for PKINIT. It works just fine.
I thinks this operation is identical with purgekeys command? Then it could
also make the principal unable to be a server role.
I think principal still need keys in my scenario.
More information about the krbdev
mailing list