[36517] in Kerberos
Re: Retrieving Kerberos password hash
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Oct 7 11:03:55 2014
Message-ID: <5434009C.2090106@mit.edu>
Date: Tue, 07 Oct 2014 11:02:52 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: kannan rbk <kannanrbk.r@gmail.com>, "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <CAO-u-jviM_U_Mm9UhaooRFgNYod-UWy2GhOrqz37QA3ROeCgLw@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/07/2014 08:43 AM, kannan rbk wrote:
> Is there any way to get the password hash & salt from the kerberos server?
The Kerberos protocol uses a very specific kind of "password hash" (the
RFC 3961 string-to-key operation), which may not be importable into
other applications. It might be importable into Active Directory since
AD is itself a Kerberos implementation; I'm not certain.
The MIT krb5 admin protocol doesn't allow long-term keys to be retrieved
from the DB without changing them. But you can retrieve long-term keys
using kadmin.local (using the "ktadd -norandkey" operation) or from a
database dump.
The salt can be retrieved in a variety of ways: from the etype-info2
field of an AS reply, from a database dump, or in most cases just by
computing the default salt from the principal name. The default salt
for a principal name is the realm name followed by the principal
components in order, e.g. "ATHENA.MIT.EDUghudson" for
ghudson@ATHENA.MIT.EDU.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
