Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279632

New options for ktab to provide non-default salt

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 19
    • security-libs
    • None
    • behavioral
    • low
    • The `-f` option already used by the `ktab -d` command to force removing entries without a prompt. There might be a small chance that a user always adding `-f` to any `ktab` command and it will trigger unnecessary KDC connections when adding entries.
    • add/remove/modify command line option
    • JDK

      Summary

      Add -s <salt> and -f options to the ktab command to use the specified salt value or to fetch it from a KDC when adding entries.

      Problem

      The ktab -a username password command adds encryption keys derived from the username and password with a default salt string. Sometimes (as described in the bug report on a Windows Server) the salt used on the KDC might not be the default salt (which is a simple concatenation of realm and username), and the keys generated by the ktab command will not match the keys in KDC.

      Solution

      Add two new options to the command. When ktab -a username password -s altsalt is called, altsalt is used instead of the default salt. When ktab -a username password -f is called, the tool will contact the KDC to get the actual salt used (which will be included in the pre-authentication field in the KRB-ERROR response to the initial authentication request).

      The names of the new options follow the MIT krb5 ktutil command as described on https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/ktutil.html.

      Specification

       Usage: ktab <commands> <options>

 Available commands:

 -l [-e] [-t]
     list the keytab name and entries. -e with etype, -t with timestamp.
--a <principal name> [<password>] [-n <kvno>] [-append]
+-a <principal name> [<password>] [-n <kvno>] [-s <salt> | -f] [-append]
     add new key entries to the keytab for the given principal name with
     optional <password>. If a <kvno> is specified, new keys' Key Version
     Numbers equal to the value, otherwise, automatically incrementing
-    the Key Version Numbers. If -append is specified, new keys are
+    the Key Version Numbers. If <salt> is specified, it will be used
+    instead of the default salt. If -f is specified, the KDC will be
+    contacted to fetch the salt. If -append is specified, new keys are
     appended to the keytab, otherwise, old keys for the
     same principal are removed.
 -d <principal name> [-f] [-e <etype>] [<kvno> | all | old]
     delete key entries from the keytab for the specified principal. If
     <kvno> is specified, delete keys whose Key Version Numbers match
     kvno. If "all" is specified, delete all keys. If "old" is specified,
     delete all keys except those with the highest kvno. Default action
     is "all". If <etype> is specified, only keys of this encryption type
     are deleted. <etype> should be specified as the numberic value etype
     defined in RFC 3961, section 8. A prompt to confirm the deletion is
     displayed unless -f is specified.

 Common option(s):

 -k <keytab name>
     specify keytab name and path with prefix FILE:

            weijun Weijun Wang
            webbuggrp Webbug Group
            Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: