Ken Hornstein wrote: >>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" [EMAIL PROTECTED] >>> >>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION. >>> >> I think -randkey causes the salt to be ignored -- I used :afs3 and >> a subsequent getprinc says that the principal has no salt. >> > > It's a bit more complicated than that. When you use -randkey, you're > creating a random encryption key. Remember that point. > > What the salt does is provide an extra bit of permutation to the > algorithm to convert a password (what humans type) to an encryption key > (what Kerberos actually uses). AFS uses one salt algorithm; Kerberos > V5 by default uses another. But if you're creating a random encryption > key, there is no password that corresponds to that encryption key, so > the salt is meaningless; in this case, the Kerberos code is hardcoded > to only use the "normal" salt for DES-based enctypes. But you have to specifically ask for :normal.
> Now that I think > about it, there is probably no reason for this, as it doesn't matter in > any case and it just ends up confusing people. To complicate matters > further, in MIT Kerberos "no salt" really means "take the default", > which means "Use the V5 salt rules" ... and you indicate that by > adding ":normal" to the encryption type when you create a key. > > >> Converting to Kerberos V has been a bit frustrating -- you can't just >> follow a recipe, you have to use Google and learn quite a bit about >> K5 and AFS to work through it all. I'm still learning. >> > > You now see why I included so much basic material about AFS and Kerberos 5 > in the Migration Kit documentation :-/ > > --Ken > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info > > _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
