Skip Menu |
 

Subject: ktutil addent should be able to fetch etype-info2 for principal
At the moment, ktutil addent requires you to specify the enctype and
salt (if it's not the default), and it just can't work if there are
s2kparams or a salt that can't be written as a C string on the command
line. There should be an option to fetch the etype-info2 value for
the principal from the KDC and use that.

To do this we need a new library interface, probably an extension of
the get_init_creds interfaces, to make an AS-REQ and extract the
etype-info2 from either the AS-REP or PREAUTH_REQUIRED error response.

(You also have to specify a kvno to ktutil addent. That information
is available from the KDC if it issues a ticket and includes a kvno in
the EncryptedData, but not if preauth is required for the principal or
if the KDC just doesn't include a kvno when issuing a ticket. So I
don't think it's worth the complexity of even trying to fetch it.)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Add API to retrieve etype-info from KDC

Add the krb5_get_etype_info() API, which sends an initial ticket
request to the KDC and extracts an enctype, salt, and s2kparams value
from the first KDC reply. This function will help ktutil use the
correct salt and s2kparams when creating keytabs.

[ghudson@mit.edu: renamed API to krb5_get_etype_info() and adjusted
behavior]

https://github.com/krb5/krb5/commit/c67c0e1a446d2230a1daa28ab058e37e5c6f4734
Author: Mubashir Kazia <mkazia@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: c67c0e1a446d2230a1daa28ab058e37e5c6f4734
Branch: master
.gitignore | 1 +
doc/appdev/refs/api/index.rst | 1 +
src/include/krb5/krb5.hin | 37 +++++++-
src/lib/krb5/krb/Makefile.in | 14 +++-
src/lib/krb5/krb/get_etype_info.c | 180 ++++++++++++++++++++++++++++++++++
src/lib/krb5/krb/int-proto.h | 4 +
src/lib/krb5/krb/preauth2.c | 8 +-
src/lib/krb5/krb/t_get_etype_info.c | 110 +++++++++++++++++++++
src/lib/krb5/krb/t_get_etype_info.py | 63 ++++++++++++
src/lib/krb5/libkrb5.exports | 1 +
src/lib/krb5_32.def | 1 +
11 files changed, 413 insertions(+), 7 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add ktutil addent option to fetch salt from KDC

Add a -f flag to ktutil addent. If specified, the enctype need not be
specified (although it can be) and ktutil will request etype-info from
the KDC to produce the string-to-key parameters.

https://github.com/krb5/krb5/commit/eb5d2c9afa4eba05f44e66d0e843b94be74d53e7
Author: Greg Hudson <ghudson@mit.edu>
Commit: eb5d2c9afa4eba05f44e66d0e843b94be74d53e7
Branch: master
doc/admin/admin_commands/ktutil.rst | 11 +++-
src/kadmin/ktutil/ktutil.c | 19 +++++---
src/kadmin/ktutil/ktutil.h | 1 +
src/kadmin/ktutil/ktutil_funcs.c | 87 ++++++++++++++++++++++++++++-------
src/tests/t_keytab.py | 43 +++++++++++++++++
5 files changed, 134 insertions(+), 27 deletions(-)