[19985] in Kerberos_V5_Development
Re: Using a master key and principal name to derive password for
daemon@ATHENA.MIT.EDU (Ts7 Coe)
Wed Oct 16 06:33:37 2019
From: Ts7 Coe <tm3y@hotmail.com>
To: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 16 Oct 2019 10:33:29 +0000
Message-ID: <HK2PR06MB3539B86595CCCE03EBBACCE59C920@HK2PR06MB3539.apcprd06.prod.outlook.com>
In-Reply-To: <20191016100945.GE4182@redhat.com>
Content-Language: aa
MIME-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> Then you don't actually need keys at all. If no one is going to
make an AS_REQ or TGS_REQ with the principal as a target, then you
do not need keys.
The principals will authenticate with each other, so any principal could
be a target of TGS_REQ. So I thinks there still must be keys for every
principal?
> Try to not set entry.key_data and entry.n_key_data (where entry is
krb5_db_entry structure) fields. We do this in FreeIPA for principals
that have no key associated and it works for PKINIT. It works just fine.
I thinks this operation is identical with purgekeys command? Then it could
also make the principal unable to be a server role.
I think principal still need keys in my scenario.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
