Using a master key and principal name to derive password for principal

Alexander Bokovoy abokovoy at
Wed Oct 16 10:47:21 EDT 2019

On ke, 16 loka 2019, Ts7 Coe wrote:
>I thought when using PKINIT, KDC will send the symmetric key to principal,
>maybe encrypted with the public key. Looks like this isn't true in kerberos.
RFC 4556 defines the way how client and KDC pre-authenticate with

>So I must deliver the symmetric key using outbound connection.
>If so, in my scenario, principal act both client and server, PKINIT seems
>unnecessary, and keytab file seems more suitable. But the approach I
>described should still work.
>There is one major problem to use principal name derived password:
>If one principal get compromised, changing the master key could lead to
>all principals' key changed. But this could be resolved by inserting the
>compromised principal into the database with a new key.
It is way better to have a state and store keys. ;)

>Thank @Roland and @Alexander for the kind help on this issue.
>Also, I have another simple and quick question. In freeipa or active directory,
>Is that all service principals don't change their symmetric key in the entire
>life time if no compromise occurred?
In Active Directory all service principals are aliases (service
principal names, SPNs) of the machine accounts of the machines on which
they are hosted. Machine account credentials are typically rotated at
some period, according to a domain-wide policy.

In FreeIPA we typically don't rotate the keys but there are tools that
allow such rotation to happen. Each principal has enough rights to
request its own key roation, so this is left for admins to decide
whether they would like to run something like the following:

kinit -k -t /path/to/keytab service-principal-name
ipa-getkeytab -k /path/to/keytab -p service-principal-name


/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list