Re: Remembering Master Password - Kerberos

This is a discussion on Re: Remembering Master Password - Kerberos ; On Sep 23, 2006, at 9:05 AM, kerberos-request@mit.edu wrote: > Date: Sat, 23 Sep 2006 08:42:51 CDT > From: John Hascall > Subject: Re: Remembering Master Password > To: "Jason C. Wells" > Cc: kerberos@mit.edu > Message-ID: > > >> ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: Remembering Master Password

  1. Re: Remembering Master Password


    On Sep 23, 2006, at 9:05 AM, kerberos-request@mit.edu wrote:

    > Date: Sat, 23 Sep 2006 08:42:51 CDT
    > From: John Hascall
    > Subject: Re: Remembering Master Password
    > To: "Jason C. Wells"
    > Cc: kerberos@mit.edu
    > Message-ID: <200609231342.IAA03158@malison.ait.iastate.edu>
    >
    >
    >> In big bold letters we are warned to "NOT FORGET" the password to the
    >> database. For years I have kept my password faithfully documented
    >> and I
    >> have _never_ used it. Why do I need to remember my database master
    >> password?

    >
    > You have two options with your master password. One is to keep
    > a copy on disk (what you seem to have done) and the other is to
    > be prompted for it each time the KDC starts. In any event if you
    > forget (and lose the file with) the master password your KDC DB
    > is useless as it can not be decrypted to be used.
    >
    >> Can I randomize the database master password similar to using -
    >> randkey
    >> on my service principals?

    >
    > I don't think I've seen a procedure documented to do that,
    > if you really want to do that, I'd try it on a test realm
    > first for sure!
    >
    > John


    Heimdal uses a standard keytab file for the master password. In
    Heimdal kadmin you can do:

    add -r M/K
    del_enc M/K
    ext_key -k M/K
    delete M/K

    Heimdal also supports multiple master key versions in the keytab, and
    can re-encrypt the database with a new master key by doing hprop --
    encrypt --stdout | hpropd --stdin.

    If someone wanted to add those features to MIT I'm sure they would
    like the contribution.

    ------------------------------------------------------------------------
    ----
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Remembering Master Password



    On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
    wrote:

    > Heimdal uses a standard keytab file for the master password. In
    > Heimdal kadmin you can do:
    >
    > add -r M/K
    > del_enc M/K
    > ext_key -k M/K
    > delete M/K


    You can, but if you do that multiple times, you'll end up with multiple
    keys with the same kvno. Since Heimdal records for each record the version
    of the master key that was used to encrypt it (if any), it can handle
    multiple keys and do a gradual transition. But that won't work if you keep
    reusing the same version.

    Also, that's rather convoluted compared to

    ktutil add -r -p M/K


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Remembering Master Password


    On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:

    >
    >
    > On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
    > wrote:
    >
    >> Heimdal uses a standard keytab file for the master password. In
    >> Heimdal kadmin you can do:
    >>
    >> add -r M/K
    >> del_enc M/K

    mod --kvno== M/K ;-)
    >> ext_key -k M/K
    >> delete M/K

    >
    > You can, but if you do that multiple times, you'll end up with
    > multiple keys with the same kvno. Since Heimdal records for each
    > record the version of the master key that was used to encrypt it
    > (if any), it can handle multiple keys and do a gradual transition.
    > But that won't work if you keep reusing the same version.
    >
    > Also, that's rather convoluted compared to
    >
    > ktutil add -r -p M/K


    So it is. You can't delete it from the master DB afterwards with
    ktutil, but I guess you're advocating just leaving it there so you
    don't have to track the version number yourself?

    ------------------------------------------------------------------------
    ----
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Remembering Master Password



    On Wednesday, September 27, 2006 01:26:22 PM -0700 "Henry B. Hotz"
    wrote:

    >
    > On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
    >
    >>
    >>
    >> On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
    >> wrote:
    >>
    >>> Heimdal uses a standard keytab file for the master password. In
    >>> Heimdal kadmin you can do:
    >>>
    >>> add -r M/K
    >>> del_enc M/K

    > mod --kvno== M/K ;-)
    >>> ext_key -k M/K
    >>> delete M/K

    >>
    >> You can, but if you do that multiple times, you'll end up with
    >> multiple keys with the same kvno. Since Heimdal records for each
    >> record the version of the master key that was used to encrypt it
    >> (if any), it can handle multiple keys and do a gradual transition.
    >> But that won't work if you keep reusing the same version.
    >>
    >> Also, that's rather convoluted compared to
    >>
    >> ktutil add -r -p M/K

    >
    > So it is. You can't delete it from the master DB afterwards with
    > ktutil, but I guess you're advocating just leaving it there so you don't
    > have to track the version number yourself?


    'ktutil add' doesn't talk to the server at all; it only manipulates the
    keytab. So, the entry never gets added to the database.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Remembering Master Password


    On Sep 27, 2006, at 1:38 PM, Jeffrey Hutzelman wrote:
    >
    > On Wednesday, September 27, 2006 01:26:22 PM -0700 "Henry B. Hotz"
    > wrote:
    >>
    >> On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
    >>>
    >>> On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
    >>> wrote:
    >>>
    >>>> Heimdal uses a standard keytab file for the master password. In
    >>>> Heimdal kadmin you can do:
    >>>>
    >>>> add -r M/K
    >>>> del_enc M/K

    >> mod --kvno== M/K ;-)
    >>>> ext_key -k M/K
    >>>> delete M/K
    >>>
    >>> You can, but if you do that multiple times, you'll end up with
    >>> multiple keys with the same kvno. Since Heimdal records for each
    >>> record the version of the master key that was used to encrypt it
    >>> (if any), it can handle multiple keys and do a gradual transition.
    >>> But that won't work if you keep reusing the same version.
    >>>
    >>> Also, that's rather convoluted compared to
    >>>
    >>> ktutil add -r -p M/K

    >>
    >> So it is. You can't delete it from the master DB afterwards with
    >> ktutil, but I guess you're advocating just leaving it there so
    >> you don't
    >> have to track the version number yourself?

    >
    > 'ktutil add' doesn't talk to the server at all; it only manipulates
    > the keytab. So, the entry never gets added to the database.


    I stand corrected. change or get interact with kadmind.

    I'm assuming from your omission that add will look at the existing
    kvno's and create the next one?

    ------------------------------------------------------------------------
    ----
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Remembering Master Password



    On Wednesday, September 27, 2006 01:54:30 PM -0700 "Henry B. Hotz"
    wrote:

    > I'm assuming from your omission that add will look at the existing
    > kvno's and create the next one?


    Well, the man page claims it will prompt for anything you don't specify;
    I'm not sure I believe that wrt enctypes, but I bet it's true for the kvno.
    So yes, you'd have to list the existing keytab and pick a new kvno.

    -- Jeff
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Remembering Master Password


    On Sep 27, 2006, at 2:00 PM, Jeffrey Hutzelman wrote:

    > On Wednesday, September 27, 2006 01:54:30 PM -0700 "Henry B. Hotz"
    > wrote:
    >
    >> I'm assuming from your omission that add will look at the existing
    >> kvno's and create the next one?

    >
    > Well, the man page claims it will prompt for anything you don't
    > specify; I'm not sure I believe that wrt enctypes, but I bet it's
    > true for the kvno. So yes, you'd have to list the existing keytab
    > and pick a new kvno.
    >
    > -- Jeff


    Just tried it. (I happen to be setting up a new dev realm.) It will
    prompt for enctype and kvno. I don't think I explicitly told it what
    realm it was, but I did give it the file and principal of course.

    ------------------------------------------------------------------------
    ----
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread