Combined DES salt and Keytab cleanup patch
abartlet at samba.org
Fri Jul 14 01:17:56 GMT 2006
On Tue, 2006-07-11 at 13:34 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Gerald (Jerry) Carter wrote:
> > Here's the combined DES salting and Keytab cleanup. It's
> > hard to separate the patches since they both touch the same
> > area.
> > Major points of interest:
> > * Figure the DES salt based on the domain functional level
> > and UPN (if present and applicable)
> > * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
> > keys
Why not just deal with the key as presented? We have:
smb_krb5_get_keyinfo_from_ap_req(), which returns the enc type of the
The main issue is that of policy, we might not want to allow the
attacker to choose the encryption type we will make a key for, but it
will avoid all the silly 'iterate over clearly incorrect enc types'
stuff, and be portable to new encryption types.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060714/cc8a80de/attachment.bin
More information about the samba-technical