convert cleartext password to principal key

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

convert cleartext password to principal key

Rachit Raj
Hi,

I am working on a Java code to integrate user's password in corporate LDAP
with kerberos principal key. This code would ensure that whenever user
change their LDAP password then their kerberos key would be updated
automatically. Basically they would be having only one password for both
LDAP and kerberos authentication. I am using Java's kerberos package to
generate kerberos principal key. But when I saved this key to
krbprincipalkey attribute in LDAP then kinit failed with error
*"kinit(v5): Generic error (see e-text) while getting initial credentials".*

The error reported in syslog is
*krb5kdc[13914]: AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13})
10.233.22.229 <http://10.233.22.229>: LOOKING_UP_CLIENT:
[hidden email] <[hidden email]> for
krbtgt/[hidden email] <[hidden email]>, unable to decode
stored principal key data (ASN.1 identifier doesn't match expected value)*

Can someone please tell me where i am going wrong with the code and what
should be done to fix this?
Below you can find a sample code where cleartext password is converted to
kerberoskey.


import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;


public class TestKerberos {

        public static void main(String args[]) throws Exception{
                KerberosPrincipal kp = new KerberosPrincipal("TestUser");
                char[] pwd = {'p','a','s','s','w','o','r','
d'};
                KerberosKey kk = new KerberosKey(kp, pwd,"AES128");
                System.out.println(kk.getEncoded());

        }
}

Hoping for a reply. Thanks in advance.

-
rachit
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: convert cleartext password to principal key

Simo Sorce-3
On Mon, 2014-01-27 at 17:40 +0530, Rachit Raj wrote:

> Hi,
>
> I am working on a Java code to integrate user's password in corporate LDAP
> with kerberos principal key. This code would ensure that whenever user
> change their LDAP password then their kerberos key would be updated
> automatically. Basically they would be having only one password for both
> LDAP and kerberos authentication. I am using Java's kerberos package to
> generate kerberos principal key. But when I saved this key to
> krbprincipalkey attribute in LDAP then kinit failed with error
> *"kinit(v5): Generic error (see e-text) while getting initial credentials".*

The keys saved in krbprincipalkey must be encrypted with the master key
which is normally not available to the LDAP server and shouldn't be made
available to external programs.

The easiest way for an external program is to give it a keytab and allow
it to change any user's [paswrdo in the kadmin acls, then just use the
kpasswd protocol to change it.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev