Hi all, Could you please confirm whether this means I can create the keytab entry on the application server ? Also could you please let me know any issues involved with this approach ?
Thanks Sandy. [EMAIL PROTECTED] wrote: > Hi Sam, > > Thanks a lot for the reply. > > Does this mean by knowing the following parameters namely, > the password,the salt (which can include principal and realm),s2k > parameters,the key version number , I can create the key on the > application server itself which is identical to that used by the KDC > while issuing the service ticket ? > > Thanks, > Sandy. > > > > > Sam Hartman wrote: > > >>>>> "sandypossible" == sandypossible <[EMAIL PROTECTED]> writes: > > > > sandypossible> Hi all, I have some additional queries: > > > > sandypossible> 1) I understand that while creating the keytab > > sandypossible> file, the KDC creates the key using the service > > sandypossible> principal and its password. This key is extracted > > sandypossible> in the keytab file. Could you please let me know if > > sandypossible> this extracted keytab contains only the password in > > sandypossible> encrypted form ? Does the KDC uses any salt, realm > > sandypossible> name along with password during key creation ? > > > > > > Please take a look at the string2key operation in RFC 3961, the > > implementation for AES in RFC 3962 and the implementation for RC4 in > > draft-jaganathan-rc4-hmac-01.txt . > > > > In general, in order to convert a password to a key you need: > > > > * the password > > * the salt (which can include principal and realm) > > * s2k parameters > > * the key version number > > > > There are various cases in which protocols can be used to find out > > some of these. For example, if you have the principal and password > > you could attempt an AS request with the principal and use the > > etype_info2 structure to get the salt,and s2kparams. This however > > will not get you the key version number. > > > > Depending on KDC configuration, you may be able to perform a TGS > > request to get a key version number. > > > > --Sam > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
