Using a master key and principal name to derive password for principal

Ts7 Coe tm3y at
Wed Oct 16 09:59:13 EDT 2019

I thought when using PKINIT, KDC will send the symmetric key to principal,
maybe encrypted with the public key. Looks like this isn't true in kerberos.
So I must deliver the symmetric key using outbound connection.
If so, in my scenario, principal act both client and server, PKINIT seems
unnecessary, and keytab file seems more suitable. But the approach I
described should still work.

There is one major problem to use principal name derived password:
If one principal get compromised, changing the master key could lead to
all principals' key changed. But this could be resolved by inserting the
compromised principal into the database with a new key.

Thank @Roland and @Alexander for the kind help on this issue.
Also, I have another simple and quick question. In freeipa or active directory,
Is that all service principals don't change their symmetric key in the entire
life time if no compromise occurred?

More information about the krbdev mailing list