[15913] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Master key migration and the stash command

daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Jun 21 18:45:01 2010

Date: Mon, 21 Jun 2010 17:44:05 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20100621224405.GB2232@sun.com>
Mail-Followup-To: Greg Hudson <ghudson@mit.edu>,
	"krbdev@mit.edu" <krbdev@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1277154477.12977.252.camel@ray>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Mon, Jun 21, 2010 at 05:07:57PM -0400, Greg Hudson wrote:
> On Mon, 2010-06-14 at 15:58 -0400, Will Fiveash wrote:
> > Is this something that should be revisited for the 1.9 release?  Note
> > that the lack of a stash command in the kdb5_ldap_util is an issue for
> > some as well.
> 
> I fixed "kdb5_util stash" to work against LDAP databases; it was a very
> simple bug.  I tagged the fix for 1.8.3; it could also go easily into
> releases as early as (I think) 1.6.

Thanks Greg, that addresses the issue a customer was having.

> Possible remaining improvements include:
> 
>   * Make it possible to use "kdb5_util stash" before a KDB exists, and
> make "kdb5_util create" recognize and use the stash file.  I'm no longer
> sure this is worth the effort.  It would make the creation of slave KDCs
> appear slightly more elegant in some deployment scenarios, but not
> actually any more correct (the initial KDB contents are overwritten by
> the kdb5_util load regardless).  It might also be more work than I had
> anticipated.
> 
>   * When the KDB is present but a valid stash file is not, make
> "kdb5_util stash" examine the K/M record to deduce the master key type.
> This is not completely trivial to implement, and only helps in uncommon
> deployment scenarios, so I will defer it for now.

I don't have a problem with that.

-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash@oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post