directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel L├ęcharny <>
Subject Kerberos keys & passwords
Date Sun, 10 Feb 2013 10:40:17 GMT
Hi guys,

as I'm working on the Kerberos server, I have a few questions.

1) Currently, when the added entry has a userPassword AT and a
krb5PrincipalName AT (which means it has a krb5principal OC), we create
the kerberos Keys using the password.

The problem is that the userPassword is a multiValued AT, so we use the
first password in the list to generate the keys. This is not necessarily
a good idea, but I don't see how we can improve this.

At least, we should inform the user about this fact

2) Service keys : as we use the same mechanism, we generate keys based
on the userPassword. Of course, we have no way to know that the added
entry is for a service (except for hosts), so the userPassword must
exist (and its value must be randomKey so that we don't use an weak

Woudln't it be better to generate the keys from a random password if the
userPassword AT is empty or absent ?

3) We definitively need to add a plugin in Studio to allow a user to
change its password, using the changePassword protocol (and a shell
script based tool to do so)

Thoughts ?

Emmanuel L├ęcharny 

View raw message