[2173] in Kerberos-V5-bugs
Re: Using AFS String_to_key with K5 beta 6
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Aug 20 16:43:30 1996
Date: Tue, 20 Aug 1996 15:43:19 -0500
From: Doug Engert <DEEngert@anl.gov>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: Doug Engert <DEEngert@anl.gov>, krb5-bugs@MIT.EDU
In-Reply-To: <199608201628.MAA08153@ginger.cmf.nrl.navy.mil>
Ken Hornstein writes:
> >I would like to make a suggestion which would simplify the migration
> >for AFS sites to Kerberos 5.
> >[...]
> >If the K5 database also contained the salt, rather then just a salt
> >type, it could also handle realm name changes as well. (You may want
> >to consider this for a future version of K5.)
>
> Errr, the K5 database _does_ contain the salt. I've used this feature myself
> for AFS cells that aren't in the same Kerberos realm. Unfortunately, the
> beta 6 KDC sends back a salt that's always the current realm instead of
> the salt that's in the database; I've sent in patches to krb5-bugs to
> fix that problem.
>
I looked at the kdc/kdc_preauth.c code, and as you pointed
out it sends back a salt using the principal's realm, and does not look
in the database. I did not look at the database code.
The OSF people sound interested in the "AFS:" mod since it does not
require any additional changes to the servers. It sort of makes
AFS a subset of the KRB5_PADATA_PW_SALT pa_type.
> --Ken
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 <New Area Code 8/3/96>
PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
