[11348] in Kerberos-V5-bugs
[krbdev.mit.edu #6641] Typed-in master passwords should use enctypes
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Jan 14 14:02:11 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6641@krbdev.mit.edu>
Message-ID: <rt-6641-32281.14.1734143102028@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6641'":;"'AdminCc of krbdev.mit.edu Ticket #6641'":;@MIT.EDU
Date: Thu, 14 Jan 2010 14:02:06 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
When you use a typed-in password for krb5kdc or kadmind, that password
is converted to a keyblock for a specific enctype, determined either by
realm configuration (master_key_type), command-line flag (krb5kdc's -k
flag), or the built-in default (DEFAULT_KDC_ENCTYPE).
It is unnecessary to require the administrator to specify this enctype,
and it can lead to surprising failures when the built-in default changes
between releases.
Ideally, the password should be tried against each enctype present in
the K/M key data array. This enhancement requires a change to the
libkdb5 interfaces, since kdb_db_fetch_mkey currently reads the password
and produces a single keyblock.
(A simpler approach would be to use the enctype of the most recent
master key entry. However, that change could break some working
configurations, where the admin is entering the password of an older
master key entry.)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
