[37396] in Kerberos
Re: kprop with multiple or NATted IP address
daemon@ATHENA.MIT.EDU (Jerry Shipman)
Thu Jan 28 08:25:43 2016
From: Jerry Shipman <jes59@cornell.edu>
To: Russ Allbery <eagle@eyrie.org>
Date: Thu, 28 Jan 2016 13:25:21 +0000
Message-ID: <18C94D30-2C39-49F5-A35A-A5C2DF1C4B51@cornell.edu>
In-Reply-To: <87d1sm4mhc.fsf@hope.eyrie.org>
Content-Language: en-US
Content-ID: <A0066ACD956F8C4382D260C37DF1824D@namprd04.prod.outlook.com>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
(I thought about that about 5 minutes after I sent the email — oops.)
I guess my question is: does kprop do anything other than: secrecy of the data in transmission, integrity of the transmission, kdb5_util dump/load ? Or can I really do the same thing in a cron job (or maybe 2, one on each end) without missing anything important? I guess I would lose out on the possibility of doing incremental propagation.
Thanks again,
Jerry
> On Jan 27, 2016, at 6:43 PM, Russ Allbery <eagle@eyrie.org> wrote:
>
> Jerry Shipman <jes59@cornell.edu> writes:
>
>> It’s me again, who was trying to kprop through a NAT a month ago.
>
>> Hypothetically speaking… how bad of an idea would it be to make a cron
>> job that `scp`s the database file to the slave KDC, or something like
>> that? Does the slave KDC daemon need to restart after the file is
>> updated, maybe? Or is this significantly less safe than using kprop? I
>> think I would be relying on ssh instead of kerberos for the
>> confidentiality and integrity. But I do that whenever I log into the
>> machine anyway. I think I may risk getting the file in the middle of a
>> write (so some records could be corrupted in the copy). It seems like
>> this would be a bad idea; just checking.
>
> If you're going to use scp, I strongly recommend generating a dump with
> kdb5_util dump, scping that, and then loading it with kdb5_util load.
> That's effectively what kprop/kpropd do.
>
> Just copying the database file runs the risk of copying a corrupt database
> because you happened to catch it in the middle of a write, as you note.
>
> --
> Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
