[krbdev.mit.edu #8913] Deleting master key principal entry shouldn't be possible

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8913] Deleting master key principal entry shouldn't be possible

Greg Hudson via RT

Thu Jun 11 17:20:31 2020: Request 8913 was acted upon.
 Transaction: Ticket created by [hidden email]
       Queue: krb5
     Subject: Deleting master key principal entry shouldn't be possible
       Owner: Nobody
  Requestors: [hidden email]
      Status: open
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8913 >


Running "kadmin.local delprinc K/M" pretty much bricks a KDB. Authentication
will continue to work as long as the current krb5kdc process is running, but
essentially all admin operations will fail, and (short of writing custom code)
there does not seem to be any way to recover. In contrast, other admin
principals like krbtgt/REALM can simply be recreated with random keys.


_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs