Skip Menu |

Subject: let ktutil support non-default salts
Adding an entry to a keytab from a password with ktutil currently assumes the default salt,
without even the options for salt types that are available in kadmin.
It would be nice to have those, as well as the ability to specify an explicit salt string (or make an
AS_REQ to get the actual salt for the principal from the KDC).
If random salts become more popular, this functionality will be more necessary than it presently
From: Sam Hartman <>
Subject: Re: [ #7647] let ktutil support non-default salts
Date: Tue, 28 May 2013 11:51:53 -0400

Especially because of the random salt discussion on kitten, if I were
going to implement this I'd like to see something like a

krb5_get_init_creds_probe_etype_info that probes the salt and encryption
types the KDC offers for a principal. Such an interface should take
gic_opts mostly for FAST related stuff and ideally re-use most/all of
the GIC mechanisms.

We got a github PR to address the original issue, which I will be
merging shortly (closing this ticket).

I agree with Sam that fetching the etype-info2 information would be a
superior solution, though it would require much more work. I will open
a separate ticket for that.
Subject: git commit

Add ktutil add_entry option to specify salt

[ also fix minor leak in ktutil_add()]
Author: Mubashir Kazia <>
Committer: Greg Hudson <>
Commit: 1a3f7ce0708a0695fd93c2445cf1fd0401ce00d4
Branch: master
doc/admin/admin_commands/ktutil.rst | 2 +-
src/kadmin/ktutil/ktutil.c | 13 ++++++++++---
src/kadmin/ktutil/ktutil.h | 3 ++-
src/kadmin/ktutil/ktutil_funcs.c | 17 ++++++++++++-----
src/man/ | 2 +-
5 files changed, 26 insertions(+), 11 deletions(-)