Storing Master Key in LDAP

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Storing Master Key in LDAP

Rachit Raj
Hi,

The LDAP schema for Kerberos has attribute krbmkey to store master key. I
could not find any way to store master key into this attribute. Is their
any way to migrate master key from stash file to LDAP?

Thanks,
Rachit
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Storing Master Key in LDAP

Greg Hudson
On 01/29/2014 06:30 AM, Rachit Raj wrote:
> The LDAP schema for Kerberos has attribute krbmkey to store master key. I
> could not find any way to store master key into this attribute. Is their
> any way to migrate master key from stash file to LDAP?

We don't use that schema attribute; it may be there for Novell
eDirectory or it may not be used by anything.  Storing the master key in
LDAP would seem to defeat the purpose of having a master key at all.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Storing Master Key in LDAP

Simo Sorce
----- Original Message -----
> On 01/29/2014 06:30 AM, Rachit Raj wrote:
> > The LDAP schema for Kerberos has attribute krbmkey to store master key. I
> > could not find any way to store master key into this attribute. Is their
> > any way to migrate master key from stash file to LDAP?
>
> We don't use that schema attribute; it may be there for Novell
> eDirectory or it may not be used by anything.  Storing the master key in
> LDAP would seem to defeat the purpose of having a master key at all.

We use it in FreeIPA, but probably not in the way that Novell used it as I
could not find a reference at the time.

I also have to disagree on the "defeat the purpose" part.

Although KrbPrincipalKey attributes should be kept private, the master key is
an additional line of defense should the attribute of some users be leaked as
long as the master key is not leaked.

And this is more common than it may be thought, as sometimes admins do searches
against the directory as the "Directory Manager" user (which has full access to
read the attribute), and may stick these searches in bug reports or other log files.

When keys are encrypted with a master key these kind of "leaks" are less concerning.

Simo.

--
Simo Sorce * Red Hat, Inc. * New York
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev