Combined DES salt and Keytab cleanup patch
Andrew Bartlett
abartlet at samba.org
Fri Jul 14 01:17:56 GMT 2006
On Tue, 2006-07-11 at 13:34 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gerald (Jerry) Carter wrote:
>
> > Here's the combined DES salting and Keytab cleanup. It's
> > hard to separate the patches since they both touch the same
> > area.
> >
> > Major points of interest:
> >
> > * Figure the DES salt based on the domain functional level
> > and UPN (if present and applicable)
> > * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
> > keys
Why not just deal with the key as presented? We have:
smb_krb5_get_keyinfo_from_ap_req(), which returns the enc type of the
incoming ticket.
The main issue is that of policy, we might not want to allow the
attacker to choose the encryption type we will make a key for, but it
will avoid all the silly 'iterate over clearly incorrect enc types'
stuff, and be portable to new encryption types.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060714/cc8a80de/attachment.bin
More information about the samba-technical
mailing list