question about modifying master_key_type

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

question about modifying master_key_type

Will Fiveash
I did a little digging but was unable to determine if it was possible to
change the master_key_type kdc.conf parameter to another enctype and
then modify an existing principal DB to protect the existing principal
keys using the new master key.  If this is possible, how does one go
about it?

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: question about modifying master_key_type

Hooshang
Hey guy,

You didn't get tired of digging Kerberos? and looking for something new?

Hooshang

On 6/22/05, Will Fiveash <[hidden email]> wrote:

> I did a little digging but was unable to determine if it was possible to
> change the master_key_type kdc.conf parameter to another enctype and
> then modify an existing principal DB to protect the existing principal
> keys using the new master key.  If this is possible, how does one go
> about it?
>
> --
> Will Fiveash
> Sun Microsystems Inc.
> Austin, TX, USA (TZ=CST6CDT)
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: question about modifying master_key_type

Ken Hornstein
In reply to this post by Will Fiveash
>I did a little digging but was unable to determine if it was possible to
>change the master_key_type kdc.conf parameter to another enctype and
>then modify an existing principal DB to protect the existing principal
>keys using the new master key.  If this is possible, how does one go
>about it?

I tried it once.  It turns out there are a number of barriers:

- There's no tool to do it.
- If you write a tool, you will discover that the master key enctype is
  (inexplicitly) used as the enctype for the history key.

At that point I gave up, but there may be more problems.

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: question about modifying master_key_type

Will Fiveash
On Thu, Jun 23, 2005 at 10:23:24AM -0400, Ken Hornstein wrote:

> >I did a little digging but was unable to determine if it was possible to
> >change the master_key_type kdc.conf parameter to another enctype and
> >then modify an existing principal DB to protect the existing principal
> >keys using the new master key.  If this is possible, how does one go
> >about it?
>
> I tried it once.  It turns out there are a number of barriers:
>
> - There's no tool to do it.
> - If you write a tool, you will discover that the master key enctype is
>   (inexplicitly) used as the enctype for the history key.
>
> At that point I gave up, but there may be more problems.

Yeah, I played around with kdb5_util and came to the same point.  It
would be a nice enhancement to provide a simple way to modify a master
key's enctype to a stronger enctype and allow migration of the princ. DB
(and deal with any propagation issues).

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos