upgrading from krb5-1.0b6 to krb5-1.2.5

Tom Yu tlyu at MIT.EDU
Sun Aug 4 19:56:07 EDT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "art" == Art Freeman <art at art-freeman.com> writes:

art> Although there is a stash file krb5_util complains that the key
art> is corrupted when I try to load the contents of the old database
art> to the new one.

Are you loading the new database on a machine having the opposite byte
order from the old one?  If so, you should know that there are some
integer fields in the stash file that need to be byte-swapped.

art> By the way, are there any plans to provide a function to change
art> the database master key and change the principals appropriately?

Master key change capability exists, but is buggy, in krb5-1.2.5.  The
following patch should allow master key change to work:

Index: dump.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/dbutil/dump.c,v
retrieving revision 1.19.2.1
diff -c -r1.19.2.1 dump.c
*** dump.c	2001/01/24 21:48:21	1.19.2.1
- --- dump.c	2002/08/04 23:53:01
***************
*** 255,261 ****
      krb5_error_code	retval;
      krb5_keyblock 	v5plainkey, *key_ptr;
      krb5_keysalt 	keysalt;
!     int	      i;
      krb5_key_data	new_key_data, *key_data;
      krb5_boolean	is_mkey;
  
- --- 255,261 ----
      krb5_error_code	retval;
      krb5_keyblock 	v5plainkey, *key_ptr;
      krb5_keysalt 	keysalt;
!     int	      i, j;
      krb5_key_data	new_key_data, *key_data;
      krb5_boolean	is_mkey;
  
***************
*** 284,290 ****
  	if (retval)
  		return retval;
  	krb5_free_keyblock_contents(context, &v5plainkey);
! 	free(key_data->key_data_contents);
  	*key_data = new_key_data;
      }
      return 0;
- --- 284,294 ----
  	if (retval)
  		return retval;
  	krb5_free_keyblock_contents(context, &v5plainkey);
! 	for (j = 0; j < key_data->key_data_ver; j++) {
! 	    if (key_data->key_data_length[j]) {
! 		free(key_data->key_data_contents[j]);
! 	    }
! 	}
  	*key_data = new_key_data;
      }
      return 0;


art> Do you have any suggestions as to which DES cracking tools would
art> be useful?

Not really.  The fastest DES cracking engine that is publically
acknowledged was built from custom hardware.

- ---Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE9Tb8hSO8fWy4vZo4RAskdAJ0YhwbAr6S5mECdEAJjmTWkOZfWSwCg8ecI
chpenv8j//mX4pTZ3ilpLT8=
=oC97
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list