[31380] in Kerberos

home help back first fref pref prev next nref lref last post

Re: ktadd then principal's password no longer works?

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Fri Aug 14 11:27:11 2009

Message-ID: <4A85821E.1080601@kickflop.net>
Date: Fri, 14 Aug 2009 11:26:22 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: Shumon Huque <shuque@isc.upenn.edu>
In-Reply-To: <20090814151207.GA15104@isc.upenn.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Goofy :/

I wonder how people script kadmin queries with MIT-krb5.

You know, like, setting every principal's password expiration.

Shumon Huque wrote:
> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
>> Again, I must really not understand something.  This
>> principal's password is getting trashed after I use
>> ktadd
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/admin@FOO.COM:
>> kadmin:  ktadd -k admin.kt admin/admin
>> Entry for principal admin/admin with kvno 9, encryption type Triple DES 
>> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
>> Entry for principal admin/admin with kvno 9, encryption type DES cbc 
>> mode with CRC-32 added to keytab WRFILE:admin.kt.
>> kadmin:  quit
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/admin@FOO.COM:
>> kadmin: Incorrect password while initializing kadmin interface
>>
>> ^^^ tried many times -- had to fix via kadmin.local
> 
> This won't work. ktadd creates a new random key everytime it
> is invoked, thus destroying your earlier password derived
> key. The manpage says:
> 
>      ktadd [-k keytab] [-q] [-e keysaltlist]
>           [principal | -glob princ-exp] [...]
> 
>           Adds a principal or all principals  matching  princ-exp
>           to  a  keytab,  randomizing each principal's key in the
>           process. ...
> 
> I don't think the MIT distro has any tool to do what you want.
> You'd probably need to write a program to extract the password
> derived key directly from the KDB.
> 
> --Shumon.
> 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post