[24140] in Kerberos
Re: question about modifying master_key_type
daemon@ATHENA.MIT.EDU (Will Fiveash)
Thu Jun 23 12:58:03 2005
Date: Thu, 23 Jun 2005 11:57:02 -0500
From: Will Fiveash <William.Fiveash@sun.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-ID: <20050623165702.GB5247@sun.com>
Mail-Followup-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>,
MIT Kerberos List <kerberos@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200506231423.j5NENNq9025139@ginger.cmf.nrl.navy.mil>
cc: MIT Kerberos List <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
On Thu, Jun 23, 2005 at 10:23:24AM -0400, Ken Hornstein wrote:
> >I did a little digging but was unable to determine if it was possible to
> >change the master_key_type kdc.conf parameter to another enctype and
> >then modify an existing principal DB to protect the existing principal
> >keys using the new master key. If this is possible, how does one go
> >about it?
>
> I tried it once. It turns out there are a number of barriers:
>
> - There's no tool to do it.
> - If you write a tool, you will discover that the master key enctype is
> (inexplicitly) used as the enctype for the history key.
>
> At that point I gave up, but there may be more problems.
Yeah, I played around with kdb5_util and came to the same point. It
would be a nice enhancement to provide a simple way to modify a master
key's enctype to a stronger enctype and allow migration of the princ. DB
(and deal with any propagation issues).
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos