Bug#480542: krb5-admin-server - lists keys with normal salt as without salt
Bastian Blank [EMAIL PROTECTED] writes: Package: krb5-admin-server Version: 1.6.dfsg.3-1 Severity: normal kadmin always lists keys with normal salt as without salt: | Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt | Key: vno 1, DES cbc mode with CRC-32, no salt This example was created without any special enctype definition so it defaults to des3-hmac-sha1:normal des-cbc-crc:normal. Version 4 salt, which really means: no salt, is correctly listed as Version 4. Yup, this is upstream bug #5958. no salt actually means no salt hint, or use default salt. It makes sense how it happened from a code perspective, but it's definitely a bug. Using any valid salts normal, v4, norealm and onlyrealm, afs3 seems to be not usable, it look the following: | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 4 | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 - No Realm | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 - Realm Only The AFS3 salt is specifically for compatibility with the AFS kaserver, which only does single DES keys, so using that salt with any key other than single DES doesn't really make any sense. If I use -randkey, I only get such no salt entries: | Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt As the documentation shows this behaviour in the example outputs also, this looks like missing documentation. By this behavior I assume you mean the no salt part? Or is there somewhere that shows using AFS3 salts with AES keys? -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480542: krb5-admin-server - lists keys with normal salt as without salt
On Sat, May 10, 2008 at 02:01:15PM -0700, Russ Allbery wrote: Bastian Blank [EMAIL PROTECTED] writes: kadmin always lists keys with normal salt as without salt: | Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt | Key: vno 1, DES cbc mode with CRC-32, no salt Yup, this is upstream bug #5958. no salt actually means no salt hint, or use default salt. It makes sense how it happened from a code perspective, but it's definitely a bug. It makes sense, as only password generated keys needs a salt and the standard defines which variant to use by default. Using any valid salts normal, v4, norealm and onlyrealm, afs3 seems to be not usable, it look the following: The AFS3 salt is specifically for compatibility with the AFS kaserver, which only does single DES keys, so using that salt with any key other than single DES doesn't really make any sense. Yeah. So this is a documentation bug. As the documentation shows this behaviour in the example outputs also, this looks like missing documentation. By this behavior I assume you mean the no salt part? Yes. Bastian -- We do not colonize. We conquer. We rule. There is no other way for us. -- Rojan, By Any Other Name, stardate 4657.5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480542: krb5-admin-server - lists keys with normal salt as without salt
Package: krb5-admin-server Version: 1.6.dfsg.3-1 Severity: normal kadmin always lists keys with normal salt as without salt: | Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt | Key: vno 1, DES cbc mode with CRC-32, no salt This example was created without any special enctype definition so it defaults to des3-hmac-sha1:normal des-cbc-crc:normal. Version 4 salt, which really means: no salt, is correctly listed as Version 4. Using any valid salts normal, v4, norealm and onlyrealm, afs3 seems to be not usable, it look the following: | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 4 | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 - No Realm | Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5 - Realm Only If I use -randkey, I only get such no salt entries: | Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt As the documentation shows this behaviour in the example outputs also, this looks like missing documentation. Bastian -- Too much of anything, even love, isn't necessarily a good thing. -- Kirk, The Trouble with Tribbles, stardate 4525.6 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
