[31378] in Kerberos
Re: ktadd then principal's password no longer works?
daemon@ATHENA.MIT.EDU (Shumon Huque)
Fri Aug 14 11:13:07 2009
Date: Fri, 14 Aug 2009 11:12:07 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Jeff Blaine <jblaine@kickflop.net>
Message-ID: <20090814151207.GA15104@isc.upenn.edu>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4A857AF3.8080203@kickflop.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
> Again, I must really not understand something. This
> principal's password is getting trashed after I use
> ktadd
>
> % sudo kadmin -p admin/admin
> Authenticating as principal admin/admin with password.
> Password for admin/admin@FOO.COM:
> kadmin: ktadd -k admin.kt admin/admin
> Entry for principal admin/admin with kvno 9, encryption type Triple DES
> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
> Entry for principal admin/admin with kvno 9, encryption type DES cbc
> mode with CRC-32 added to keytab WRFILE:admin.kt.
> kadmin: quit
>
> % sudo kadmin -p admin/admin
> Authenticating as principal admin/admin with password.
> Password for admin/admin@FOO.COM:
> kadmin: Incorrect password while initializing kadmin interface
>
> ^^^ tried many times -- had to fix via kadmin.local
This won't work. ktadd creates a new random key everytime it
is invoked, thus destroying your earlier password derived
key. The manpage says:
ktadd [-k keytab] [-q] [-e keysaltlist]
[principal | -glob princ-exp] [...]
Adds a principal or all principals matching princ-exp
to a keytab, randomizing each principal's key in the
process. ...
I don't think the MIT distro has any tool to do what you want.
You'd probably need to write a program to extract the password
derived key directly from the KDB.
--Shumon.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
