[OpenAFS] Re: Windows AFS client / Kerberos V

Marcus Watts mdw@umich.edu
Wed, 31 Jan 2007 21:12:41 -0500

tc <tedcxx3@yahoo.com> writes:
> Ken Hornstein wrote:
> >>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" afs@HEKIMIAN.COM
> >>>
> >>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
> >>>       
> >> I think -randkey causes the salt to be ignored -- I used :afs3 and
> >> a subsequent getprinc says that the principal has no salt.
> >>     
> >
> > It's a bit more complicated than that.  When you use -randkey, you're
> > creating a random encryption key.  Remember that point.
> >
> > What the salt does is provide an extra bit of permutation to the
> > algorithm to convert a password (what humans type) to an encryption key
> > (what Kerberos actually uses).  AFS uses one salt algorithm; Kerberos
> > V5 by default uses another.  But if you're creating a random encryption
> > key, there is no password that corresponds to that encryption key, so
> > the salt is meaningless; in this case, the Kerberos code is hardcoded
> > to only use the "normal" salt for DES-based enctypes. 
> But you have to specifically ask for :normal.

You have to say "normal" or "afs3" or "v4" or something.  That's just a
property of the interface.  It's correct to say the salt is
"meaningless", because it truely has no meaning for keys not derived
from a password.

					-Marcus Watts