The logic is either from the spec (3961?) or MIT Kerberos codes. It's intended to form the salt in that way, thus given a certain password for a principal, the generated encryption key will be the same value for an encryption type. All the vendors implement the logic so they can talk to each other for the clients using password. Not safe? Yes, that's why the other mean like using genkey with random bytes would be preferred for service principals. This explanation may be not accurate but should be a starting to explore.
Regards, Kai -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Wednesday, December 30, 2015 5:19 PM To: [email protected] Subject: PrinciplaName makeSalt method Hi ! I wonder what the PrincipalName.makeSalt() method is doing... It constructs a PrincipalName where the '/' and '@' are removed, and concatenated in reverse order, which does not make a lot of sense to me... Worst case : it is used to produce a salt for an encryption method, which is a bad idea, considering the salt is based on the principalName's content...
