[32501] in Kerberos
Re: Change Realm Name
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jul 9 17:01:03 2010
From: Greg Hudson <ghudson@mit.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87oceg4jvb.fsf@windlord.stanford.edu>
Date: Fri, 09 Jul 2010 17:00:42 -0400
Message-ID: <1278709242.3976.114.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2010-07-09 at 13:59 -0400, Russ Allbery wrote:
> IIRC, there's some way to permit this with recent Kerberos clients that
> can support an alternative salt, but I don't remember the details of how
> to make it work. But hopefully those keywords will help get you pointed
> in the right direction.
I don't think the Kerberos clients have to be all that recent. I see
references to PW_SALT and ETYPE_INFO padata types at least as far back
as 1.1. ETYPE_INFO2 support didn't come in until 1.3 (apparently) but I
don't think that's necessary.
In theory, it would be possible to modify all of the principal entries
to contain an explicit salt. I don't know of specific tools to do this,
although I wouldn't be surprised if someone had written one (in the form
of a dumpfile transformation tool, most likely).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
