Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
- Key: vno 1, des-cbc-crc, no salt
- Key: vno 1, des-cbc-crc, Version 4
+ Key: vno 1, des-cbc-crc
+ Key: vno 1, des-cbc-crc:v4
Attributes:
Policy: [none]
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'
[...]
Number of keys: 1
- Key: vno 1, des-cbc-crc, Version 4
+ Key: vno 1, des-cbc-crc:v4
[...]
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin'
[...]
Number of keys: 1
- Key: vno 15, des-cbc-crc, no salt
+ Key: vno 15, des-cbc-crc
[...]
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw'
[...]
Number of keys: 1
- Key: vno 14, des-cbc-crc, no salt
+ Key: vno 14, des-cbc-crc
[...]
The ``krbtgt/REALM`` key appears to have never been changed since creation
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'
[...]
Number of keys: 5
- Key: vno 2, aes256-cts-hmac-sha1-96, no salt
- Key: vno 2, aes128-cts-hmac-sha1-96, no salt
- Key: vno 2, des3-cbc-sha1, no salt
- Key: vno 2, des-cbc-crc, no salt
- Key: vno 1, des-cbc-crc, Version 4
+ Key: vno 2, aes256-cts-hmac-sha1-96
+ Key: vno 2, aes128-cts-hmac-sha1-96
+ Key: vno 2, des3-cbc-sha1
+ Key: vno 2, des-cbc-crc
+ Key: vno 1, des-cbc-crc:v4
[...]
Since the expected disruptions from rekeying the krbtgt principal are
contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest'
[...]
Number of keys: 3
- Key: vno 9, aes256-cts-hmac-sha1-96, no salt
- Key: vno 9, aes128-cts-hmac-sha1-96, no salt
- Key: vno 9, des3-cbc-sha1, no salt
+ Key: vno 9, aes256-cts-hmac-sha1-96
+ Key: vno 9, aes128-cts-hmac-sha1-96
+ Key: vno 9, des3-cbc-sha1
[...]
[kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \
enctype, sizeof(enctype)))
snprintf(enctype, sizeof(enctype), _("<Encryption type 0x%x>"),
key_data->key_data_type[0]);
- printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype);
- if (key_data->key_data_ver > 1) {
+ printf("Key: vno %d, %s", key_data->key_data_kvno, enctype);
+ if (key_data->key_data_ver > 1 &&
+ key_data->key_data_type[1] != KRB5_KDB_SALTTYPE_NORMAL) {
if (krb5_salttype_to_string(key_data->key_data_type[1],
salttype, sizeof(salttype)))
snprintf(salttype, sizeof(salttype), _("<Salt type 0x%x>"),
key_data->key_data_type[1]);
- printf("%s\n", salttype);
- } else
- printf(_("no salt\n"));
+ printf(":%s", salttype);
+ }
+ printf("\n");
}
printf(_("MKey: vno %d\n"), dprinc.mkvno);
* Local data structures.
*/
struct salttype_lookup_entry {
- krb5_int32 stt_enctype; /* Salt type */
- const char * stt_specifier; /* How to recognize it */
- const char * stt_output; /* How to spit it out */
+ krb5_int32 stt_enctype; /* Salt type number */
+ const char * stt_name; /* Salt type name */
};
/*
#include "kdb.h"
static const struct salttype_lookup_entry salttype_table[] = {
-/* salt type input specifier output string */
-/*----------------------------- --------------- ---------------*/
- { KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" },
- { KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" },
- { KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" },
- { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" },
- { KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" },
- { KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" },
+ { KRB5_KDB_SALTTYPE_NORMAL, "normal" },
+ { KRB5_KDB_SALTTYPE_V4, "v4", },
+ { KRB5_KDB_SALTTYPE_NOREALM, "norealm", },
+ { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", },
+ { KRB5_KDB_SALTTYPE_SPECIAL, "special", },
+ { KRB5_KDB_SALTTYPE_AFS3, "afs3", },
};
static const int salttype_table_nents = sizeof(salttype_table)/
sizeof(salttype_table[0]);
found = 0;
for (i=0; i<salttype_table_nents; i++) {
- if (!strcasecmp(string, salttype_table[i].stt_specifier)) {
+ if (!strcasecmp(string, salttype_table[i].stt_name)) {
found = 1;
*salttypep = salttype_table[i].stt_enctype;
break;
out = (char *) NULL;
for (i=0; i<salttype_table_nents; i++) {
if (salttype == salttype_table[i].stt_enctype) {
- out = salttype_table[i].stt_output;
+ out = salttype_table[i].stt_name;
break;
}
}
# Get the K/M principal. Verify that it has the expected mkvno. Each
# remaining argment must be a sequence of two elements: an expected
# key version and an expected enctype.
-keyline_re = re.compile(r'^Key: vno (\d+), (\S+), ')
+keyline_re = re.compile(r'^Key: vno (\d+), (\S+)$')
def check_master_dbent(expected_mkvno, *expected_keys):
outlines = realm.run_kadminl('getprinc K/M').splitlines()
mkeyline = [l for l in outlines if l.startswith('MKey: vno ')]
realm = K5Realm(create_user=False)
-# Check that a non-default salt type applies only to the key it is matched
-# with and not to subsequent keys. e1 is a enctype:salt string with
-# non-default salt, and e2 is an enctype:salt string with default salt.
-# The string argument corresponds to the salt type of e1, and must appear
-# exactly once in the getprinc output, corresponding to just the first key.
-def test_salt(realm, e1, string, e2):
- query = 'ank -e ' + e1 + ',' + e2 + ' -pw password user'
+# Check that a non-default salt type applies only to the key it is
+# matched with and not to subsequent keys. e1 and e2 are enctypes,
+# and salt is a non-default salt type.
+def test_salt(realm, e1, salt, e2):
+ query = 'ank -e %s:%s,%s -pw password user' % (e1, salt, e2)
realm.run_kadminl(query)
out = realm.run_kadminl('getprinc user')
- if len(re.findall(string, out)) != 1:
- fail(string + ' present in second enctype or not present')
+ if len(re.findall(':' + salt, out)) != 1:
+ fail(salt + ' present in second enctype or not present')
realm.run_kadminl('delprinc -force user')
# Enctype/salt pairs chosen with non-default salt types.
# The enctypes are mostly arbitrary, though afs3 must only be used with des.
# We do not enforce that v4 salts must only be used with des, but it seems
# like a good idea.
-salts = [('des-cbc-crc:afs3', 'AFS version 3'),
- ('des3-cbc-sha1:norealm', 'Version 5 - No Realm'),
- ('arcfour-hmac:onlyrealm', 'Version 5 - Realm Only'),
- ('des-cbc-crc:v4', 'Version 4'),
- ('aes128-cts-hmac-sha1-96:special', 'Special')]
+salts = [('des-cbc-crc', 'afs3'),
+ ('des3-cbc-sha1', 'norealm'),
+ ('arcfour-hmac', 'onlyrealm'),
+ ('des-cbc-crc', 'v4'),
+ ('aes128-cts-hmac-sha1-96', 'special')]
# These enctypes are chosen to cover the different string-to-key routines.
# Omit ":normal" from aes256 to check that salttype defaulting works.
second_kstypes = ['aes256-cts-hmac-sha1-96', 'arcfour-hmac:normal',
projects / thirdparty / krb5.git / commitdiff
