[16388] in Kerberos_V5_Development
Re: Review of Projects/Kadmin hook interface
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 27 16:01:17 2010
From: Russ Allbery <rra@stanford.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100927195740.GM9501@oracle.com> (Nicolas Williams's message of
"Mon, 27 Sep 2010 14:57:40 -0500")
Date: Mon, 27 Sep 2010 13:01:14 -0700
Message-ID: <87y6ant0qd.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: lha@h5l.org, Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> I'm saying it's what it should do. I.e., the kadmin/kadm5 client should
> be modified to randomize keys by doing a cpw with a randomized password.
If you made this change globally (rather than making it an option, such as
in Heimdal), then it would apply to keytab-only principals such as host/*
keys as well. Do we lose any security benefit from having all the
enctypes have independent keys the way that we get now with -randkey? (Or
at least I always assumed we got that now; maybe we don't?)
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
