|
Home > Archive > Apache Directory Project > October 2007 > KeyTab and EncryptionKey
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
KeyTab and EncryptionKey
|
|
| Emmanuel Lecharny 2007-10-24, 7:11 pm |
| Hi,
while looking into the kerberos code, I found a KeyTab class, which is
used to read a KeyTab file. I have some questions related to this
class :
- do we have any tests which shows that this class works ?
- do we have a Keytab generator?
- do we use this class - or intend to use it - into the kerberos server ?
- The EncryptionKey class contains a kvno which is not present in the
ASN.1 definition of this structure : do we need this field ?
Thanks !
--=20
Regards,
Cordialement,
Emmanuel L=E9charny
www.iktek.com
| |
| Enrique Rodriguez 2007-10-29, 1:11 am |
| On 10/24/07, Emmanuel Lecharny <elecharny-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hi,
>
> while looking into the kerberos code, I found a KeyTab class, which is
> used to read a KeyTab file. I have some questions related to this
> class :
Module 'kerberos-shared' in the trunk has a keytab package. That
package has as its entry point the Keytab class. It sounds a bit like
you are talking about something older, IIRC, possibly in another
module. If you find keytab code, apart from the keytab package in
'kerberos-shared', you can delete it.
> - do we have any tests which shows that this class works ?
Yes, the aforementioned package is covered by the KeytabTest class
which uses package-scoped methods to test the reading and writing of
keytab bytes, avoiding the need for test files on disk. Moreover, I
have used this in interop scenarios.
> - do we have a Keytab generator?
The Keytab class can both read and write to a File.
> - do we use this class - or intend to use it - into the kerberos server ?
I don't believe the server currently uses this class. I originally
intended this component to be used in conjunction with the LDAP
protocol to import/export Kerberos keys to/from a keytab file.
However, a "version 2" update to the Change Password protocol is
working its way through the IETF and I believe this will be the better
solution. I wouldn't delete it since it is useful for interop.
> - The EncryptionKey class contains a kvno which is not present in the
> ASN.1 definition of this structure : do we need this field ?
kvno needs to be somewhere. We may not be strict about the kvno in
use and IMO most implementations aren't strict but they do check the
kvno to give the user the hint that they may not be using the correct
kvno w.r.t. the error returned to the user. I would review in light
of your refactoring to a strict interpretation of the ASN.1
structures.
Enrique
| |
| Emmanuel Lecharny 2007-10-29, 7:11 am |
| Hi Enrique,
Enrique Rodriguez wrote:
> On 10/24/07, Emmanuel Lecharny <elecharny-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>
> Module 'kerberos-shared' in the trunk has a keytab package. That
> package has as its entry point the Keytab class. It sounds a bit like
> you are talking about something older, IIRC, possibly in another
> module. If you find keytab code, apart from the keytab package in
> 'kerberos-shared', you can delete it.
>
Ok, found it... I was looking into the apacheds-password-client project,
and didn't found the Keytab tests. Thanks for pointing them to me.
>
> I don't believe the server currently uses this class. I originally
> intended this component to be used in conjunction with the LDAP
> protocol to import/export Kerberos keys to/from a keytab file.
> However, a "version 2" update to the Change Password protocol is
> working its way through the IETF and I believe this will be the better
> solution. I wouldn't delete it since it is useful for interop.
>
Ok, np. I will keep this KeyTab class, I was just wondering what it
would be good at. After some googling, I see it's good to have it.
>
>
> kvno needs to be somewhere. We may not be strict about the kvno in
> use and IMO most implementations aren't strict but they do check the
> kvno to give the user the hint that they may not be using the correct
> kvno w.r.t. the error returned to the user. I would review in light
> of your refactoring to a strict interpretation of the ASN.1
>
Let me think more about this question and your answer. I must further my
understanding about the use of this kvno member.
Thanks for the answers !
E.
|
|
|
|
|