Well, its just a time consumer to figure out what it wants...
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Marcus Watts
Sent: Wednesday, January 31, 2007 5:13 PM
To: [email protected]
Subject: Re: [OpenAFS] Re: Windows AFS client / Kerberos V
tc <[EMAIL PROTECTED]> writes:
> Ken Hornstein wrote:
> >>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" [EMAIL PROTECTED]
> >>>
> >>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
> >>>
> >> I think -randkey causes the salt to be ignored -- I used :afs3 and
> >> a subsequent getprinc says that the principal has no salt.
> >>
> >
> > It's a bit more complicated than that. When you use -randkey, you're
> > creating a random encryption key. Remember that point.
> >
> > What the salt does is provide an extra bit of permutation to the
> > algorithm to convert a password (what humans type) to an encryption key
> > (what Kerberos actually uses). AFS uses one salt algorithm; Kerberos
> > V5 by default uses another. But if you're creating a random encryption
> > key, there is no password that corresponds to that encryption key, so
> > the salt is meaningless; in this case, the Kerberos code is hardcoded
> > to only use the "normal" salt for DES-based enctypes.
> But you have to specifically ask for :normal.
You have to say "normal" or "afs3" or "v4" or something. That's just a
property of the interface. It's correct to say the salt is
"meaningless", because it truely has no meaning for keys not derived
from a password.
-Marcus Watts
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
