[19977] in Kerberos_V5_Development
Using a master key and principal name to derive password for principal
daemon@ATHENA.MIT.EDU (Coe Ts7)
Tue Oct 15 00:21:54 2019
From: Coe Ts7 <tm3y@hotmail.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Tue, 15 Oct 2019 03:46:25 +0000
Message-ID: <HK2PR06MB3539C9E563B2EAD28946E5AF9C930@HK2PR06MB3539.apcprd06.prod.outlook.com>
Content-Language: zh-CN
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi,
I'm look for a simple but effective High Available solution for kerberos.
In my deployment, I will use kerberos PKINIT. So there's a chance that the kerberos doesn't store principal list, just generate ticket according the name in PKI certificate.
And I try to go further and make kerberos not to store principal password, so that the kerberos is completely stateless and fully trusts PKI.
To achieve that, I want to use some crypto & hashing mechanisms to make all kerberos instances could calculate the same password for each principal through a shared master key and principal name.
I'm wondering is this way secure cryptographically? If so, is there some source code for reference to make this algorithm implemented?
Thanks in advance!
Regards,
tm3y
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
