On 10/07/2014 08:43 AM, kannan rbk wrote: > Is there any way to get the password hash & salt from the kerberos server?
The Kerberos protocol uses a very specific kind of "password hash" (the RFC 3961 string-to-key operation), which may not be importable into other applications. It might be importable into Active Directory since AD is itself a Kerberos implementation; I'm not certain. The MIT krb5 admin protocol doesn't allow long-term keys to be retrieved from the DB without changing them. But you can retrieve long-term keys using kadmin.local (using the "ktadd -norandkey" operation) or from a database dump. The salt can be retrieved in a variety of ways: from the etype-info2 field of an AS reply, from a database dump, or in most cases just by computing the default salt from the principal name. The default salt for a principal name is the realm name followed by the principal components in order, e.g. "ATHENA.MIT.EDUghudson" for ghud...@athena.mit.edu. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
