On Wednesday, January 10, 2007 02:16:53 PM -0500 Ken Hornstein

>> In addition to needing to enter a passphrase to launch krb5kdc (with
>> the -m option), it looks like kdb5_util will also need a passphrase,
>> understandably.
>> This means that the traditional cronjob-triggered kprop -> kpropd
>> replication won't work either, right?

> Actually, it shouldn't need a passphrase; the dump files contain the
> encrypted keys not the decrypted ones, and that's what kprop/kpropd
> pass around. I thought that the MIT folks told me that they run without
> a stash file, and I see they have three KDCs.

I can't speak for current code, but several years ago we ran MIT KDC's with
only the master having a stash file, and propagation worked just fine.

-- Jeff
Kerberos mailing list Kerberos@mit.edu