[OpenAFS] Re: Windows AFS client / Kerberos V
Tue, 30 Jan 2007 09:37:57 -0900
Ken Hornstein wrote:
>>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" afs@HEKIMIAN.COM
>>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
>> I think -randkey causes the salt to be ignored -- I used :afs3 and
>> a subsequent getprinc says that the principal has no salt.
> It's a bit more complicated than that. When you use -randkey, you're
> creating a random encryption key. Remember that point.
> What the salt does is provide an extra bit of permutation to the
> algorithm to convert a password (what humans type) to an encryption key
> (what Kerberos actually uses). AFS uses one salt algorithm; Kerberos
> V5 by default uses another. But if you're creating a random encryption
> key, there is no password that corresponds to that encryption key, so
> the salt is meaningless; in this case, the Kerberos code is hardcoded
> to only use the "normal" salt for DES-based enctypes.
But you have to specifically ask for :normal.
> Now that I think
> about it, there is probably no reason for this, as it doesn't matter in
> any case and it just ends up confusing people. To complicate matters
> further, in MIT Kerberos "no salt" really means "take the default",
> which means "Use the V5 salt rules" ... and you indicate that by
> adding ":normal" to the encryption type when you create a key.
>> Converting to Kerberos V has been a bit frustrating -- you can't just
>> follow a recipe, you have to use Google and learn quite a bit about
>> K5 and AFS to work through it all. I'm still learning.
> You now see why I included so much basic material about AFS and Kerberos 5
> in the Migration Kit documentation :-/
> OpenAFS-info mailing list