Skip Menu |
 

Subject: Typed-in master passwords should use enctypes in K/M entry
When you use a typed-in password for krb5kdc or kadmind, that password
is converted to a keyblock for a specific enctype, determined either by
realm configuration (master_key_type), command-line flag (krb5kdc's -k
flag), or the built-in default (DEFAULT_KDC_ENCTYPE).

It is unnecessary to require the administrator to specify this enctype,
and it can lead to surprising failures when the built-in default changes
between releases.

Ideally, the password should be tried against each enctype present in
the K/M key data array. This enhancement requires a change to the
libkdb5 interfaces, since kdb_db_fetch_mkey currently reads the password
and produces a single keyblock.

(A simpler approach would be to use the enctype of the most recent
master key entry. However, that change could break some working
configurations, where the admin is entering the password of an older
master key entry.)