Re: "If you choose to install a stash file..."
On Wednesday, January 10, 2007 02:16:53 PM -0500 Ken Hornstein
>> In addition to needing to enter a passphrase to launch krb5kdc (with
>> the -m option), it looks like kdb5_util will also need a passphrase,
>> This means that the traditional cronjob-triggered kprop -> kpropd
>> replication won't work either, right?[/color]
> Actually, it shouldn't need a passphrase; the dump files contain the
> encrypted keys not the decrypted ones, and that's what kprop/kpropd
> pass around. I thought that the MIT folks told me that they run without
> a stash file, and I see they have three KDCs.[/color]
I can't speak for current code, but several years ago we ran MIT KDC's with
only the master having a stash file, and propagation worked just fine.
Kerberos mailing list [email]Kerberos@mit.edu[/email]