[15896] in Kerberos_V5_Development
Re: Master key migration and the stash command
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Jun 14 15:58:17 2010
Date: Mon, 14 Jun 2010 14:58:03 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: ghudson@mit.edu
Message-ID: <20100614195803.GA24535@sun.com>
Mail-Followup-To: ghudson@mit.edu, krbdev@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <200901281853.n0SIrEbx016384@outgoing.mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Is this something that should be revisited for the 1.9 release? Note
that the lack of a stash command in the kdb5_ldap_util is an issue for
some as well.
On Wed, Jan 28, 2009 at 01:53:14PM -0500, Greg Hudson wrote:
> Currently, "kdb5_util stash" does the following:
>
> 1. Open the database (or fail out)
> 2. (If there is an existing stash file, read in the master key and
> forget about it; this is odd but unimportant)
> 3. Prompt for the master key
> 4. Verify the entered key against the database (or fail out)
> 5. Write out the stash file
>
> There are two issues here. First, you can't stash the password before
> creating the database, which complicates the setup of slave DBs.
> Second, part of the master key migration project plan requires a "sync
> the stash" operation to update the stash file with all master keys.
> (http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration)
>
> I was thinking of creating a "grand unified stash" command, which
> handles all of the use cases:
>
> * If there's a database but no valid stash file, prompt for the
> master password, use it to retrieve all master keys, and write out
> a stash file containing all master keys.
>
> * If there's a database and a valid stash file, use the stashed
> master key to retrieve all DB master keys, and write out a stash
> file containing all master keys.
>
> * If there's no database and no stash file, prompt for the master
> password and stash it without verifying it.
>
> Does this plan seem reasonable, or would people rather see separate
> kdb_util operations for "prompt and stash" and "update existing
> stash"?
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash@oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev