On 10/26/2017 10:57 AM, Jerry Shipman wrote: > If the key blob is different (for the same ciphers), does it for sure mean > that the passwords are different? Or is it maybe salted with the kvno or > something? (I thought the salt was predictable -- realm, or principal name, > or nothing -- which would be the same for the different keys. And it would > almost have to be the same, in order for the history to work?)
The key blob in the dump file is encrypted with the master key. This encryption is non-deterministic (it uses a random confounder), so the key blobs in the dump file should pretty much always be different when the key changes, even to the same password. The size should generally be the same, though, even if the passwords were different. If the key blobs are really of different sizes, I would be interested in knowing the enctype The salt is normally deterministic, unless the "special" salt type is used. The kvno is never included in the salt. > I don't understand this at all, but I sort of naively expected that all keys > of a certain cipher type would be the same size. Why is the one larger? Maybe > does it contain the old key history in there? or something else? (I know the > key history is stored somewhere...) The key history is stored within a tl_data entry of type 3 (aka KRB5_TL_KADM_DATA). tl-data comes before key data in a dump record, so you might be looking at that. > Is there something reasonable I can do to definitively find out whether the > user's old and new passwords are the same? In principle one could (or could determine why kadmind can't tell whether they are different), but we don't have the tooling to make it easy. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
