Discussion:
[OpenAFS-Doc] new man page: bos_util
Jason Edgecombe
2007-08-12 03:56:29 UTC
Permalink
Hi,

Here is a new man page for pod8/bos_util.pod.

It's quite sparse because I can't find much info about the command,
aside that it works like asetkey for kerberos 4 and that it's deprecated.

I welcome any comments or insights. I figure this sparse page is better
than nothing.

Sincerely,
Jason
Jason Edgecombe
2007-08-12 17:04:49 UTC
Permalink
Post by Jason Edgecombe
Hi,
Here is a new man page for pod8/bos_util.pod.
It's quite sparse because I can't find much info about the command,
aside that it works like asetkey for kerberos 4 and that it's deprecated.
I welcome any comments or insights. I figure this sparse page is better
than nothing.
Sincerely,
Jason
The B<bos_util> command uses Kerberos 4 password types like
B<kaserver> and should not be used because of this. B<asetkey> should
be used instead of B<bos_util>.
---
This isn't really accurate. The key is a DES key regardless of how the
key is generated. asetkey copies the key from the Kerberos v5 keytab
and inserts it into the AFS KeyFile. bos_util generates the key from a
known password. There is no difference in the strength of the key
except in the fact that Kerberos v5 service keys are typically generated
using sources of true randomness whereas passwords are typically
generated by human beings and are therefore more likely to be
brute-forced via a dictionary attack.
That said, if the Kerberos v5 key was generated via a password, then the
bos_util command can be used to generate the equivalent key with the
same password.
Thanks Jeff!

Here is the second draft that includes your suggestions.

Sincerely,
Jason
Russ Allbery
2007-08-18 00:41:45 UTC
Permalink
Post by Jason Edgecombe
Here is the second draft that includes your suggestions.
I've applied this with some changes. See below for my version, which can
probably be further improved.

I added more information about what's going on with salts. The salt
description that you had, based on Douglas Engert's message, is actually
the Kerberos v5 salt algorithm, which isn't one of the salt algorithms
that bos_util speaks. bos_util supports either the traditional (and
weirdly complex) AFS salt (:afs3 in MIT Kerberos parlance) or straight DES
keys with no salt (:v4). The relevant point from that message is that
since the adddes function applies no salt at all, you can use it as a
mechanism of last resort to generate a DES key by providing a pre-salted
password as input. Douglas's message doesn't explain exactly how to do
that, just that it's possible, so I tried to incorporate the information
from that message into the man page and removed the link to the message
archive.

I added some more comparisons to the bos commands and to the asetkey
commands as well and reworded the pushing of people towards asetkey.
Jason Edgecombe
2007-08-18 02:47:27 UTC
Permalink
Post by Russ Allbery
Post by Jason Edgecombe
Here is the second draft that includes your suggestions.
I've applied this with some changes. See below for my version, which can
probably be further improved.
I added more information about what's going on with salts. The salt
description that you had, based on Douglas Engert's message, is actually
the Kerberos v5 salt algorithm, which isn't one of the salt algorithms
that bos_util speaks. bos_util supports either the traditional (and
weirdly complex) AFS salt (:afs3 in MIT Kerberos parlance) or straight DES
keys with no salt (:v4). The relevant point from that message is that
since the adddes function applies no salt at all, you can use it as a
mechanism of last resort to generate a DES key by providing a pre-salted
password as input. Douglas's message doesn't explain exactly how to do
that, just that it's possible, so I tried to incorporate the information
from that message into the man page and removed the link to the message
archive.
I added some more comparisons to the bos commands and to the asetkey
commands as well and reworded the pushing of people towards asetkey.
It looks good to me. I was going out on a limb with bos_util. I wanted
the page to have more meat and detail, but I couldn't find much info
besides the one thread on the mailing list. Thankfully, you fleshed out
the rest and corrected my guessing or bad info.

Jason

Loading...