[OpenAFS] Re: Windows AFS client / Kerberos V
Wed, 31 Jan 2007 21:12:41 -0500
tc <email@example.com> writes:
> Ken Hornstein wrote:
> >>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" afs@HEKIMIAN.COM
> >>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
> >> I think -randkey causes the salt to be ignored -- I used :afs3 and
> >> a subsequent getprinc says that the principal has no salt.
> > It's a bit more complicated than that. When you use -randkey, you're
> > creating a random encryption key. Remember that point.
> > What the salt does is provide an extra bit of permutation to the
> > algorithm to convert a password (what humans type) to an encryption key
> > (what Kerberos actually uses). AFS uses one salt algorithm; Kerberos
> > V5 by default uses another. But if you're creating a random encryption
> > key, there is no password that corresponds to that encryption key, so
> > the salt is meaningless; in this case, the Kerberos code is hardcoded
> > to only use the "normal" salt for DES-based enctypes.
> But you have to specifically ask for :normal.
You have to say "normal" or "afs3" or "v4" or something. That's just a
property of the interface. It's correct to say the salt is
"meaningless", because it truely has no meaning for keys not derived
from a password.