[krbdev.mit.edu #8587] ktutil addent should be able to fetch etype-info2 for principal

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8587] ktutil addent should be able to fetch etype-info2 for principal

Greg Hudson via RT
At the moment, ktutil addent requires you to specify the enctype and
salt (if it's not the default), and it just can't work if there are
s2kparams or a salt that can't be written as a C string on the command
line.  There should be an option to fetch the etype-info2 value for
the principal from the KDC and use that.

To do this we need a new library interface, probably an extension of
the get_init_creds interfaces, to make an AS-REQ and extract the
etype-info2 from either the AS-REP or PREAUTH_REQUIRED error response.

(You also have to specify a kvno to ktutil addent.  That information
is available from the KDC if it issues a ticket and includes a kvno in
the EncryptedData, but not if preauth is required for the principal or
if the KDC just doesn't include a kvno when issuing a ticket.  So I
don't think it's worth the complexity of even trying to fetch it.)

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs