Combined DES salt and Keytab cleanup patch

Andrew Bartlett abartlet at
Fri Jul 14 01:17:56 GMT 2006

On Tue, 2006-07-11 at 13:34 -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Gerald (Jerry) Carter wrote:
> > Here's the combined DES salting and Keytab cleanup.  It's
> > hard to separate the patches since they both touch the same
> > area.
> > 
> > Major points of interest:
> > 
> > * Figure the DES salt based on the domain functional level
> >   and UPN (if present and applicable)
> > * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
> >   keys

Why not just deal with the key as presented?  We have:

smb_krb5_get_keyinfo_from_ap_req(), which returns the enc type of the
incoming ticket.

The main issue is that of policy, we might not want to allow the
attacker to choose the encryption type we will make a key for, but it
will avoid all the silly 'iterate over clearly incorrect enc types'
stuff, and be portable to new encryption types.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.         
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list