[OpenAFS] Re: Windows AFS client / Kerberos V

tc tedcxx3@yahoo.com
Tue, 30 Jan 2007 09:37:57 -0900

Ken Hornstein wrote:
>>> ank -kvno 2 -randkey -e "des-cbc-crc:normal" afs@HEKIMIAN.COM
>>> This has been discussed before AND NOT ENTERED INTO THE DOCUMENTATION.
>> I think -randkey causes the salt to be ignored -- I used :afs3 and
>> a subsequent getprinc says that the principal has no salt.
> It's a bit more complicated than that.  When you use -randkey, you're
> creating a random encryption key.  Remember that point.
> What the salt does is provide an extra bit of permutation to the
> algorithm to convert a password (what humans type) to an encryption key
> (what Kerberos actually uses).  AFS uses one salt algorithm; Kerberos
> V5 by default uses another.  But if you're creating a random encryption
> key, there is no password that corresponds to that encryption key, so
> the salt is meaningless; in this case, the Kerberos code is hardcoded
> to only use the "normal" salt for DES-based enctypes. 
But you have to specifically ask for :normal.

>  Now that I think
> about it, there is probably no reason for this, as it doesn't matter in
> any case and it just ends up confusing people.  To complicate matters
> further, in MIT Kerberos "no salt" really means "take the default",
> which means "Use the V5 salt rules" ...  and you indicate that by
> adding ":normal" to the encryption type when you create a key.
>> Converting to Kerberos V has been a bit frustrating -- you can't just
>> follow a recipe, you have to use Google and learn quite a bit about
>> K5 and AFS to work through it all.  I'm still learning.
> You now see why I included so much basic material about AFS and Kerberos 5
> in the Migration Kit documentation :-/
> --Ken
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info