[14916] in Kerberos
Re: Can we rename a principal yet?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Aug 1 11:33:27 2001
Message-ID: <3B68216D.D420D3@anl.gov>
Date: Wed, 01 Aug 2001 10:34:05 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@ubsw.com>
CC: "Christopher P. Lindsey" <lindsey@mallorn.com>, kerberos@MIT.EDU
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Nicolas Williams wrote:
>
> More to the point: do the MIT KDC and client libraries support the use
> of the pa-pw-salt/etype-info pre-auth/e-data items in AS-REP/KRB-ERROR
> messages?
>
> If not, when will they? :)
>
> That said, looking at the source, the MIT krb5 client libraries do have
> code to support pa-pw-salt/etype-info (yay!).
>
> And the KDC has code to support sending pa-pw-salt/etype-info
> pre-auth/e-data items to clients.
>
> The problem appears to be simply that the KDC does not store a
> principal's key's salt separately from the principal's name.
Correct. The mod I spoke of, sets a key, and a SPECIAL salt, which in
our case was based on changing a realm name. This then works with the
client as long as you make sure +require_preauth is set.
>
> That is the crux of the matter. Kadmind needs to save a principal's old
> name (with each key) when renaming that principal (except for keys that
> already had an old principal name associated with them) and the KDC
> needs to be capable of retrieving an old principal name associated with
> a particular key of a any principal and then use that for the
> pa-pw-salt/etype-info items.
>
> The questions are: will anyone implement those changes? and when?
>
> Cheers,
>
> Nico
>
> On Wed, Aug 01, 2001 at 12:32:33AM -0500, Christopher P. Lindsey wrote:
> > Yes, I know it's a FAQ, and yes, I know the key is (usually) salted
> > with the entire principal name.
> >
> > In my specific case, I'm only salting the key with the realm name since
> > the instance for many of these principals will change at a later date.
> >
> > As an aside, is there any way to specify an alternative salt via
> > kadmin? The docs indicate that you can do '-e enctype:salttype' or
> > even '-salt salttype', but neither appears to work for me. I can
> > change/add it in kdc.conf, but that's not too exciting either.
> >
> > Thanks,
> >
> > Chris
> --
> .
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
