directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: KeyTab and EncryptionKey
Date Mon, 29 Oct 2007 03:30:50 GMT
On 10/24/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> Hi,
>
> while looking into the kerberos code, I found a KeyTab class, which is
> used to read a KeyTab file. I have some questions related to this
> class :

Module 'kerberos-shared' in the trunk has a keytab package.  That
package has as its entry point the Keytab class.  It sounds a bit like
you are talking about something older, IIRC, possibly in another
module.  If you find keytab code, apart from the keytab package in
'kerberos-shared', you can delete it.

> - do we have any tests which shows that this class works ?

Yes, the aforementioned package is covered by the KeytabTest class
which uses package-scoped methods to test the reading and writing of
keytab bytes, avoiding the need for test files on disk.  Moreover, I
have used this in interop scenarios.

> - do we have a Keytab generator?

The Keytab class can both read and write to a File.

> - do we use this class - or intend to use it - into the kerberos server ?

I don't believe the server currently uses this class.  I originally
intended this component to be used in conjunction with the LDAP
protocol to import/export Kerberos keys to/from a keytab file.
However, a "version 2" update to the Change Password protocol is
working its way through the IETF and I believe this will be the better
solution.  I wouldn't delete it since it is useful for interop.

> - The EncryptionKey class contains a kvno which is not present in the
> ASN.1 definition of this structure : do we need this field ?

kvno needs to be somewhere.  We may not be strict about the kvno in
use and IMO most implementations aren't strict but they do check the
kvno to give the user the hint that they may not be using the correct
kvno w.r.t. the error returned to the user.  I would review in light
of your refactoring to a strict interpretation of the ASN.1
structures.

Enrique

Mime
View raw message