directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: KeyTab and EncryptionKey
Date Mon, 29 Oct 2007 08:40:19 GMT
Hi Enrique,

Enrique Rodriguez wrote:
> On 10/24/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
>   
>> Hi,
>>
>> while looking into the kerberos code, I found a KeyTab class, which is
>> used to read a KeyTab file. I have some questions related to this
>> class :
>>     
>
> Module 'kerberos-shared' in the trunk has a keytab package.  That
> package has as its entry point the Keytab class.  It sounds a bit like
> you are talking about something older, IIRC, possibly in another
> module.  If you find keytab code, apart from the keytab package in
> 'kerberos-shared', you can delete it.
>   
Ok, found it... I was looking into the apacheds-password-client project, 
and didn't found the Keytab tests. Thanks for pointing them to me.

>> - do we use this class - or intend to use it - into the kerberos server ?
>>     
>
> I don't believe the server currently uses this class.  I originally
> intended this component to be used in conjunction with the LDAP
> protocol to import/export Kerberos keys to/from a keytab file.
> However, a "version 2" update to the Change Password protocol is
> working its way through the IETF and I believe this will be the better
> solution.  I wouldn't delete it since it is useful for interop.
>   
Ok, np. I will keep this KeyTab class, I was just wondering what it 
would be good at. After some googling, I see it's good to have it.
>   
>> - The EncryptionKey class contains a kvno which is not present in the
>> ASN.1 definition of this structure : do we need this field ?
>>     
>
> kvno needs to be somewhere.  We may not be strict about the kvno in
> use and IMO most implementations aren't strict but they do check the
> kvno to give the user the hint that they may not be using the correct
> kvno w.r.t. the error returned to the user.  I would review in light
> of your refactoring to a strict interpretation of the ASN.1
>   
Let me think more about this question and your answer. I must further my 
understanding about the use of this kvno member.

Thanks for the answers !

E.


Mime
View raw message