Fix Version/s: 19
Compatibility Risk Description:The `-f` option already used by the `ktab -d` command to force removing entries without a prompt. There might be a small chance that a user always adding `-f` to any `ktab` command and it will trigger unnecessary KDC connections when adding entries.
Interface Kind:add/remove/modify command line option
-s <salt> and
-f options to the
ktab command to use the specified salt value or to fetch it from a KDC when adding entries.
ktab -a username password command adds encryption keys derived from the username and password with a default salt string. Sometimes (as described in the bug report on a Windows Server) the salt used on the KDC might not be the default salt (which is a simple concatenation of realm and username), and the keys generated by the
ktab command will not match the keys in KDC.
Add two new options to the command. When
ktab -a username password -s altsalt is called,
altsalt is used instead of the default salt. When
ktab -a username password -f is called, the tool will contact the KDC to get the actual salt used (which will be included in the pre-authentication field in the KRB-ERROR response to the initial authentication request).
The names of the new options follow the MIT krb5
ktutil command as described on https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/ktutil.html.
Usage: ktab <commands> <options> Available commands: -l [-e] [-t] list the keytab name and entries. -e with etype, -t with timestamp. --a <principal name> [<password>] [-n <kvno>] [-append] +-a <principal name> [<password>] [-n <kvno>] [-s <salt> | -f] [-append] add new key entries to the keytab for the given principal name with optional <password>. If a <kvno> is specified, new keys' Key Version Numbers equal to the value, otherwise, automatically incrementing - the Key Version Numbers. If -append is specified, new keys are + the Key Version Numbers. If <salt> is specified, it will be used + instead of the default salt. If -f is specified, the KDC will be + contacted to fetch the salt. If -append is specified, new keys are appended to the keytab, otherwise, old keys for the same principal are removed. -d <principal name> [-f] [-e <etype>] [<kvno> | all | old] delete key entries from the keytab for the specified principal. If <kvno> is specified, delete keys whose Key Version Numbers match kvno. If "all" is specified, delete all keys. If "old" is specified, delete all keys except those with the highest kvno. Default action is "all". If <etype> is specified, only keys of this encryption type are deleted. <etype> should be specified as the numberic value etype defined in RFC 3961, section 8. A prompt to confirm the deletion is displayed unless -f is specified. Common option(s): -k <keytab name> specify keytab name and path with prefix FILE: