question about modifying master_key_type - Kerberos

This is a discussion on question about modifying master_key_type - Kerberos ; I did a little digging but was unable to determine if it was possible to change the master_key_type kdc.conf parameter to another enctype and then modify an existing principal DB to protect the existing principal keys using the new master ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: question about modifying master_key_type

  1. question about modifying master_key_type

    I did a little digging but was unable to determine if it was possible to
    change the master_key_type kdc.conf parameter to another enctype and
    then modify an existing principal DB to protect the existing principal
    keys using the new master key. If this is possible, how does one go
    about it?

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: question about modifying master_key_type

    Hey guy,

    You didn't get tired of digging Kerberos? and looking for something new?

    Hooshang

    On 6/22/05, Will Fiveash wrote:
    > I did a little digging but was unable to determine if it was possible to
    > change the master_key_type kdc.conf parameter to another enctype and
    > then modify an existing principal DB to protect the existing principal
    > keys using the new master key. If this is possible, how does one go
    > about it?
    >
    > --
    > Will Fiveash
    > Sun Microsystems Inc.
    > Austin, TX, USA (TZ=CST6CDT)
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: question about modifying master_key_type

    >I did a little digging but was unable to determine if it was possible to
    >change the master_key_type kdc.conf parameter to another enctype and
    >then modify an existing principal DB to protect the existing principal
    >keys using the new master key. If this is possible, how does one go
    >about it?


    I tried it once. It turns out there are a number of barriers:

    - There's no tool to do it.
    - If you write a tool, you will discover that the master key enctype is
    (inexplicitly) used as the enctype for the history key.

    At that point I gave up, but there may be more problems.

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: question about modifying master_key_type

    On Thu, Jun 23, 2005 at 10:23:24AM -0400, Ken Hornstein wrote:
    > >I did a little digging but was unable to determine if it was possible to
    > >change the master_key_type kdc.conf parameter to another enctype and
    > >then modify an existing principal DB to protect the existing principal
    > >keys using the new master key. If this is possible, how does one go
    > >about it?

    >
    > I tried it once. It turns out there are a number of barriers:
    >
    > - There's no tool to do it.
    > - If you write a tool, you will discover that the master key enctype is
    > (inexplicitly) used as the enctype for the history key.
    >
    > At that point I gave up, but there may be more problems.


    Yeah, I played around with kdb5_util and came to the same point. It
    would be a nice enhancement to provide a simple way to modify a master
    key's enctype to a stronger enctype and allow migration of the princ. DB
    (and deal with any propagation issues).

    --
    Will Fiveash
    Sun Microsystems Inc.
    Austin, TX, USA (TZ=CST6CDT)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread