[36248] in Kerberos
Re: is the master key cached somehow (slave side)?
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Wed Jul 2 22:24:11 2014
Date: Wed, 2 Jul 2014 22:23:53 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Giuseppe Mazza <g.mazza@imperial.ac.uk>
In-Reply-To: <53AADEA1.7010409@imperial.ac.uk>
Message-ID: <alpine.GSO.1.10.1407022219220.17412@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 25 Jun 2014, Giuseppe Mazza wrote:
> Is it the normal behaviour?
> I thought you should have a valid stash file on place to access the
> database on the slave. Maybe not?
> Or there is some kind of caching?
> Do you know how it works?
The master key is ~only used to encrypt the long-term key information
stored in the database; as such, it is only needed when those keys are to
be accessed for cryptographic operations. Merely copying the database
around does not require the master key. (Still, such copying should be
done over an encrypted connection.)
kprop/kpropd is an "ordinary" (in one sense) kerberized service, using the
host principals of the master and slave KDC machines as the client and
service principals. Since those keys are still in the main krb5.keytab on
both machines when the stash file is moved out of the way, the kpropd
operation succeeds. When the stash file is moved back into place, the new
principal's key and information can be accessed as usual.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
