[1618] in Kerberos
Re: How do I delete a kerberos database entry
daemon@ATHENA.MIT.EDU (Steve Lunt)
Thu Oct 17 10:09:35 1991
Date: Thu, 17 Oct 91 09:03:39 EDT
From: Steve Lunt <lunt@ctt.bellcore.com>
To: kliman@ecs.umass.edu
Cc: kerberos@Athena.MIT.EDU
Jonathan,
We don't delete principals from our database. We simply set
their passwords (keys) to a random value (by using kdb_edit and
giving RANDOM as the password) and backdate their expiration date to
today. This way we won't accidentally reuse a principal name. The
risk there is that although you may delete a principal from the
database, you probably won't delete all references to that principal
name in every access control list (ACL, e.g., .klogin). If you
don't, and someone else is later assigned that same principal name,
they will have unintended access to the resources protected by those
ACLs.
If you wish, you can delete a principal on the master machine
like so:
kdb_util dump file1
grep -v "^$name $instance " file1 > file2
kdb_util load file2
-- Steve
Steven J. Lunt | lunt@ctt.bellcore.com | RRC 1L-213
Computer Security Technology |-------------------------| 444 Hoes Lane
Bellcore | (908) 699-4244 | Piscataway, NJ 08854
