[4214] in Kerberos
Re: Random Passwords?
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Thu Nov 17 17:20:20 1994
To: kerberos@MIT.EDU
Date: Thu, 17 Nov 1994 16:53:08
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
chall@nando.net (Charles Hall) asks:
>Is there an easy way to generate random passwords? I tried the
>RANDOM option to kdb-edit, but if it worked I couldn't tell. It
>never bothered to tell ME what password it selected! Now THAT'S security!!
Actually, the "Random password" prompt is misleading; what it's really
doing is generating a random DES key for the principal. The Kerberos
server stores keys, not passwords; a password is converted into a key
via the des_string_to_key() function. For server-side principals, whose
keys are typically just placed in a srvtab file someplace, and for
whom it isn't likely that a kinit will ever be needed, the random key
generation feature of kdb_edit is very useful. For user principals,
or for any principal for which you expect to actually enter a password,
kdb_edit's random key generator isn't useful at all - there's no telling
if the generated key corresponds to any string whatsoever (which is why
you don't see one...).
It's kind of a shame the V4 kdb_edit prompt is misleading that way...
V5's kdb5_edit does the right thing by calling it "random key" instead
of "random password".
-Shawn Mamros
E-mail to: mamros@ftp.com
