Authenticate to LDAP with GSSAPI

Isaac Boukris iboukris at gmail.com
Mon Jun 15 16:36:41 CEST 2015


On Sun, Jun 14, 2015 at 10:19 PM, brendan kearney <bpk678 at gmail.com> wrote:
>> Well, keytab contains the key[s] (which may have been derived from
>> user's secret) so AFAI understand they are password equivalent.
>>
>> Regards,
>> Isaac B.
>
> agreed, hence my "less insecure" notion, but those Risk Management types
> can check their check box about passwords not being stored in the clear on
> the file system.

To be more accurate it might depend on the key type.
Generally RC4 keys are unsalted hash of the password (specifically
nt-hash, see RFC 4757).
Perhaps salted keys could be considered somewhat better.


More information about the Freeradius-Users mailing list