[OpenAFS] Re: Windows AFS client / Kerberos V

ted creedon tcreedon@easystreet.com
Wed, 31 Jan 2007 17:40:51 -0900


Well, its just a time consumer to figure out what it wants...

-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
On Behalf Of Marcus Watts
Sent: Wednesday, January 31, 2007 5:13 PM
To: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: Windows AFS client / Kerberos V 

tc <tedcxx3@yahoo.com> writes:
> Ken Hornstein wrote:
> >>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" afs@HEKIMIAN.COM
> >>>
> >>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
> >>>       
> >> I think -randkey causes the salt to be ignored -- I used :afs3 and
> >> a subsequent getprinc says that the principal has no salt.
> >>     
> >
> > It's a bit more complicated than that.  When you use -randkey, you're
> > creating a random encryption key.  Remember that point.
> >
> > What the salt does is provide an extra bit of permutation to the
> > algorithm to convert a password (what humans type) to an encryption key
> > (what Kerberos actually uses).  AFS uses one salt algorithm; Kerberos
> > V5 by default uses another.  But if you're creating a random encryption
> > key, there is no password that corresponds to that encryption key, so
> > the salt is meaningless; in this case, the Kerberos code is hardcoded
> > to only use the "normal" salt for DES-based enctypes. 
> But you have to specifically ask for :normal.

You have to say "normal" or "afs3" or "v4" or something.  That's just a
property of the interface.  It's correct to say the salt is
"meaningless", because it truely has no meaning for keys not derived
from a password.

					-Marcus Watts
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info