Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8279632

New options for ktab to provide non-default salt



    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 19
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Compatibility Kind:
    • Compatibility Risk:
    • Compatibility Risk Description:
      The `-f` option already used by the `ktab -d` command to force removing entries without a prompt. There might be a small chance that a user always adding `-f` to any `ktab` command and it will trigger unnecessary KDC connections when adding entries.
    • Interface Kind:
      add/remove/modify command line option
    • Scope:



      Add -s <salt> and -f options to the ktab command to use the specified salt value or to fetch it from a KDC when adding entries.


      The ktab -a username password command adds encryption keys derived from the username and password with a default salt string. Sometimes (as described in the bug report on a Windows Server) the salt used on the KDC might not be the default salt (which is a simple concatenation of realm and username), and the keys generated by the ktab command will not match the keys in KDC.


      Add two new options to the command. When ktab -a username password -s altsalt is called, altsalt is used instead of the default salt. When ktab -a username password -f is called, the tool will contact the KDC to get the actual salt used (which will be included in the pre-authentication field in the KRB-ERROR response to the initial authentication request).

      The names of the new options follow the MIT krb5 ktutil command as described on https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/ktutil.html.


       Usage: ktab <commands> <options>
       Available commands:
       -l [-e] [-t]
           list the keytab name and entries. -e with etype, -t with timestamp.
      --a <principal name> [<password>] [-n <kvno>] [-append]
      +-a <principal name> [<password>] [-n <kvno>] [-s <salt> | -f] [-append]
           add new key entries to the keytab for the given principal name with
           optional <password>. If a <kvno> is specified, new keys' Key Version
           Numbers equal to the value, otherwise, automatically incrementing
      -    the Key Version Numbers. If -append is specified, new keys are
      +    the Key Version Numbers. If <salt> is specified, it will be used
      +    instead of the default salt. If -f is specified, the KDC will be
      +    contacted to fetch the salt. If -append is specified, new keys are
           appended to the keytab, otherwise, old keys for the
           same principal are removed.
       -d <principal name> [-f] [-e <etype>] [<kvno> | all | old]
           delete key entries from the keytab for the specified principal. If
           <kvno> is specified, delete keys whose Key Version Numbers match
           kvno. If "all" is specified, delete all keys. If "old" is specified,
           delete all keys except those with the highest kvno. Default action
           is "all". If <etype> is specified, only keys of this encryption type
           are deleted. <etype> should be specified as the numberic value etype
           defined in RFC 3961, section 8. A prompt to confirm the deletion is
           displayed unless -f is specified.
       Common option(s):
       -k <keytab name>
           specify keytab name and path with prefix FILE:


          Issue Links



              weijun Weijun Wang
              webbuggrp Webbug Group
              Reviewed By:
              Valerie Peng
              0 Vote for this issue
              1 Start watching this issue