[16727] in Kerberos_V5_Development
Re: Automatically randomizing principal keys (in preauth plugin)
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Mar 24 13:05:31 2011
From: Greg Hudson <ghudson@mit.edu>
To: Yair Yarom <irush@cs.huji.ac.il>
In-Reply-To: <x8qmxkklb6a.fsf@mantis.cs.huji.ac.il>
Date: Thu, 24 Mar 2011 13:05:26 -0400
Message-ID: <1300986326.10465.45.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thu, 2011-03-24 at 12:45 -0400, Yair Yarom wrote:
> Thanks for the detailed reply.
> 1. Is there a way to get the master key (and some salts) from the kdc?
> my current method (more or less copied from
> kdb5_util.c:add_random_key) is to call krb5_db_setup_mkey_name,
> krb5_read_realm_params and krb5_db_fetch_mkey. But if the kdc was
> started with special parameters, this might not work properly.
Unfortunately for your purposes, I'm not sure there's a better way. A
copy of the master key list is held in the DAL handle, but there's no
function to access it. Prior to krb5 1.9 you could call
krb5_db_get_mkey_list(), but that's been removed.
There are provisions to allow plugins to decrypt key data by passing a
null master key list, but no allowances made for plugins which want to
encrypt key data.
> 2. The database isn't updated. I actually prefer that the database won't
> be updated, but then I wonder how does it work? I.e. the kdc appears
> to find the client key, but just until the next 'kinit' where the
> plugin randomizes a new key (as it can't find one).
You're modifying the in-memory database record handed to you by the KDC
code, and the modified record continues to be used by the KDC.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
