On Fri, 2010-07-09 at 13:59 -0400, Russ Allbery wrote: > IIRC, there's some way to permit this with recent Kerberos clients that > can support an alternative salt, but I don't remember the details of how > to make it work. But hopefully those keywords will help get you pointed > in the right direction.
I don't think the Kerberos clients have to be all that recent. I see references to PW_SALT and ETYPE_INFO padata types at least as far back as 1.1. ETYPE_INFO2 support didn't come in until 1.3 (apparently) but I don't think that's necessary. In theory, it would be possible to modify all of the principal entries to contain an explicit salt. I don't know of specific tools to do this, although I wouldn't be surprised if someone had written one (in the form of a dumpfile transformation tool, most likely). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
