[1027] in Kerberos_V5_Development
keytab: enctype matching
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue Mar 19 22:52:43 1996
Resent-From: basch@lehman.com (Richard Basch)
Resent-To: krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>
To: tytso@MIT.EDU, hartmans@MIT.EDU
Date: Tue, 19 Mar 1996 22:35:20 -0500
I just did a search throughout all the sources, and it appears that the
enctype matching was added by Sam. We also discussed the possibility of
creating a new API that would simply get a keyblock given the various
parameters, using the keytab iterator functions.
After further investigation, I propose we simply modify ktf_g_ent.c to
do the DES equivalency internally. Basically, there are only two keytab
types (file and db). Only "file" has an iterator defined; the db
variant only has get_entry defined. Therefore, it would just be easier
to do the DES equivalency in the get_entry. The number of places that
call get_entry are:
rd_req_dec.c
read_servi.c
in_tkt_ktb.c
krb524d.c
krb_auth_su.c (ksu)
This one patch should solve all the DES interoperability problems. Of
course, you will still be in trouble if you have a service key that has
two DES keys (using different salts), but we can't really deal with that
case for many reasons.
Comments?
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
