ktadd then principal's password no longer works?
Jeff Blaine
principal's password is getting trashed after I use
ktadd
% sudo kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/ad...@FOO.COM:
kadmin: ktadd -k admin.kt admin/admin
Entry for principal admin/admin with kvno 9, encryption type Triple DES
cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
Entry for principal admin/admin with kvno 9, encryption type DES cbc
mode with CRC-32 added to keytab WRFILE:admin.kt.
kadmin: quit
% sudo kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/ad...@FOO.COM:
kadmin: Incorrect password while initializing kadmin interface
^^^ tried many times -- had to fix via kadmin.local
Shumon Huque
This won't work. ktadd creates a new random key everytime it
is invoked, thus destroying your earlier password derived
key. The manpage says:
ktadd [-k keytab] [-q] [-e keysaltlist]
[principal | -glob princ-exp] [...]
Adds a principal or all principals matching princ-exp
to a keytab, randomizing each principal's key in the
process. ...
I don't think the MIT distro has any tool to do what you want.
You'd probably need to write a program to extract the password
derived key directly from the KDB.
--Shumon.
Douglas E. Engert
Shumon Huque wrote:
> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
>> Again, I must really not understand something. This
>> principal's password is getting trashed after I use
>> ktadd
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/ad...@FOO.COM:
>> kadmin: ktadd -k admin.kt admin/admin
You are creating a keytab to be used as the admin?
with a random password?
I think you are trying to create a keytab for the admin
using the current password, so you can use either the
password or the keytab.
If so look at the ktutil addent
It does not have to change the KDC database.
>> Entry for principal admin/admin with kvno 9, encryption type Triple DES
>> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt.
>> Entry for principal admin/admin with kvno 9, encryption type DES cbc
>> mode with CRC-32 added to keytab WRFILE:admin.kt.
>> kadmin: quit
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/ad...@FOO.COM:
>> kadmin: Incorrect password while initializing kadmin interface
>>
>> ^^^ tried many times -- had to fix via kadmin.local
>
> This won't work. ktadd creates a new random key everytime it
> is invoked, thus destroying your earlier password derived
> key. The manpage says:
>
> ktadd [-k keytab] [-q] [-e keysaltlist]
> [principal | -glob princ-exp] [...]
>
> Adds a principal or all principals matching princ-exp
> to a keytab, randomizing each principal's key in the
> process. ...
>
> I don't think the MIT distro has any tool to do what you want.
> You'd probably need to write a program to extract the password
> derived key directly from the KDB.
>
> --Shumon.
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Jeff Blaine
I wonder how people script kadmin queries with MIT-krb5.
You know, like, setting every principal's password expiration.
Shumon Huque wrote:
> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
>> Again, I must really not understand something. This
>> principal's password is getting trashed after I use
>> ktadd
>>
>> % sudo kadmin -p admin/admin
>> Authenticating as principal admin/admin with password.
>> Password for admin/ad...@FOO.COM:
>> kadmin: ktadd -k admin.kt admin/admin
Shumon Huque
> Goofy :/
>
> I wonder how people script kadmin queries with MIT-krb5.
>
> You know, like, setting every principal's password expiration.
Can't you use "kadmin -k -t /path/to/keytab .."?
It also has "-w password" thus exposing the password on the
command line ..
--Shumon.
Russ Allbery
> This won't work. ktadd creates a new random key everytime it
> is invoked, thus destroying your earlier password derived
> key. The manpage says:
> ktadd [-k keytab] [-q] [-e keysaltlist]
> [principal | -glob princ-exp] [...]
> Adds a principal or all principals matching princ-exp
> to a keytab, randomizing each principal's key in the
> process. ...
> I don't think the MIT distro has any tool to do what you want.
ktadd -norandkey. It's only available via kadmin.local.
--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
Jeff Blaine
>>> Authenticating as principal admin/admin with password.
>>> Password for admin/ad...@FOO.COM:
>>> kadmin: ktadd -k admin.kt admin/admin
>
> with a random password?
>
> I think you are trying to create a keytab for the admin
> using the current password, so you can use either the
> password or the keytab.
>
> If so look at the ktutil addent
> It does not have to change the KDC database.
Thank you. That works as I wanted. I probably knew this
at some point but forgot.
Greg Hudson
> > If so look at the ktutil addent
> > It does not have to change the KDC database.
> Thank you. That works as I wanted. I probably knew this
> at some point but forgot.
A small caveat: ktutil addent doesn't contact the KDC and thus doesn't
find out if the principal uses a non-default salt.
Douglas E. Engert
maybe the best choice it to create a cronadmin/admin
and give it admin privilages.
Then create its keytab using ktadd. Yoiu can then change it
as needed, and still have you admin/admin.
--