On Wednesday, January 10, 2007 02:16:53 PM -0500 Ken Hornstein
wrote:

>> In addition to needing to enter a passphrase to launch krb5kdc (with
>> the -m option), it looks like kdb5_util will also need a passphrase,
>> understandably.
>>
>> This means that the traditional cronjob-triggered kprop -> kpropd
>> replication won't work either, right?

>
> Actually, it shouldn't need a passphrase; the dump files contain the
> encrypted keys not the decrypted ones, and that's what kprop/kpropd
> pass around. I thought that the MIT folks told me that they run without
> a stash file, and I see they have three KDCs.


I can't speak for current code, but several years ago we ran MIT KDC's with
only the master having a stash file, and propagation worked just fine.

-- Jeff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos