[17045] in Kerberos_V5_Development
Re: Multiple ETYPE-INFO-ENTRY with same etype but different salts
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 18 10:15:38 2011
From: Greg Hudson <ghudson@mit.edu>
To: Weijun Wang <weijun.wang@oracle.com>
In-Reply-To: <4E243D99.1000302@oracle.com>
Date: Mon, 18 Jul 2011 10:15:35 -0400
Message-ID: <1310998535.23877.52.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, 2011-07-18 at 10:05 -0400, Weijun Wang wrote:
> I guess the keys are stored in a db file as a array. Isn't there a way
> to strip some kinds of keys from this file to make a new db? Or, its
> integrity protection is so nice that we cannot touch it at all?
The KDB is actually pretty malleable, and can be modified with scripts
using dump and load. The keys themselves are encrypted in the master
key, but that shouldn't be a problem since a script can just treat those
as opaque values.
So, if the AFS3-salted entries aren't needed, they could be removed,
which I think would cause the default salt to be used (which would then
work against the des-cbc-md5:normal key data entries).
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
