[36335] in Kerberos
Re: ktutil - problems generating AES keys (salt?)
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Aug 2 11:03:48 2014
Message-ID: <53DCFDC7.40802@mit.edu>
Date: Sat, 02 Aug 2014 11:03:35 -0400
From: Greg Hudson <ghudson@MIT.EDU>
MIME-Version: 1.0
To: Ben H <bhendin@gmail.com>, kerberos@MIT.EDU
In-Reply-To: <CAAd7auZQRmXxZ2bpNA3rePmSB3ke2YrDBbzrpkwVOWFwW7-eTg@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
On 08/02/2014 02:19 AM, Ben H wrote:
> The document is worded poorly as it can be interpreted that this salt is
> used for all enctypes, but I believe that only AES is salted in this way
> and based on my testing RC4 doesn't get salted.
The RC4 enctype completely ignores the salt, so it doesn't matter if
ktutil picks the wrong one.
> I see no way to feed ktutil a salt when generating the key.
I think that's correct. We would like ktutil (or perhaps a successor
program) to be able to make an AS request to get the actual salt from
the KDC, but this hasn't been implemented. Being able to manually
specify a salt could also be useful in some cases.
> I have found a tool called msktutil which I have built and it generates
> keytabs properly, I would prefer a method I know will exist with every krb5
> distribution.
I don't have personal experience generating keytabs for an AD domain. I
think msktutil may be the most common way of doing it, but I'm not certain.
The salt you described from the Microsoft documentation matches the
default RFC 4120 salt for a host/fqdn@REALM principal, so if you specify
the principal in exactly the right form (with the correct case), I would
expect ktutil to use the correct salt. So I'm not sure why it isn't
working for you.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
