[36390] in Kerberos
Re: querying salt and kvno via KDC-REQ
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Aug 15 15:34:50 2014
Date: Fri, 15 Aug 2014 15:34:32 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: =?ISO-8859-15?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
In-Reply-To: <53DE6B63.3020307@mproehl.net>
Message-ID: <alpine.GSO.1.10.1408151529110.21571@multics.mit.edu>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
BOUNDARY="-559023410-1836931468-1408131272=:21571"
Cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---559023410-1836931468-1408131272=:21571
Content-Type: TEXT/PLAIN; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Sun, 3 Aug 2014, Mark Pr=C3=B6hl wrote:
> I would like to improve some parts of msktutil
> (https://code.google.com/p/msktutil/) and need a way to get information
> about salt and principal's kvno via KDC requests. Do the MIT krb5
> libraries provide functions for this?
>
> Some background information:
>
> The problem with the salt is currently being discussed on this list
> ("ktutil - problems generating AES keys (salt?)).
>
> In the current version msktutil is getting the kvno via LDAP search
> (attribute msds-keyversionnumber). This leads to problems when AD
> replication is slow. Network sniffs performed after password changes
> show that AS-REP messages already contain the principal's new kvno (in
> the client part) while its LDAP attribute msds-keyversionnumber has
> still the old value.
I only took a quick look ("quick", coming two weeks late; sorry), but it
looks like a combination of krb5_get_init_creds_step and krb5_sendto_kdc
should let one programmatically retrieve an AS-REP including the salt and
kvno for the desired principal, which could then be parsed with
decode_krb5_as_rep().
-Ben
---559023410-1836931468-1408131272=:21571
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
---559023410-1836931468-1408131272=:21571--
