[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Which key type gets selected?

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: Which key type gets selected?
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 17 May 2005 12:20:39 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <2f99fdec3962a3dfa8939a113025bafa@jpl.nasa.gov> (Henry B.Hotz's message of "Fri, 13 May 2005 18:15:29 -0700")
References: <2f99fdec3962a3dfa8939a113025bafa@jpl.nasa.gov>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)


"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> Suppose an as-req-equivalent comes in and it's restricted to, say,
> des-cbc-crc.
>
> Suppose you have three of those keys in the DB.  One each with the V4
> salt, the AFS salt, and the V5 salt.
>
> Which one gets returned?
>
> Obviously you would *like* it to return the V4 one if it's a K4
> request, the AFS one if its a kaserver request (rx over 7004), and
> you'd like it to return the V5 one if it's a K5 request.  I don't
> offhand see how the code decides.  I'd also like to trace what the
> backup is if one of the types is missing.

Yes, that is how it works. The v4 and kaserver code preferer their "own"
salt-types, see get_des_key() in kdc/kerberos4.c

Love

PGP signature

References:
- Which key type gets selected?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: ETYPE-INFO & AS-REP questions
Next by Date: Re: Current ideas on kerberos requirements for Samba4
Prev by thread: Which key type gets selected?
Next by thread: Security impact of removing timestamp check in rd_rep()
Index(es):
- Date
- Thread