krb524d and reading master key from keyboard
Tom Yu
tlyu at MIT.EDU
Fri Aug 30 17:08:49 EDT 2002
>>>>> "gdt" == Greg Troxel <gdt at ir.bbn.com> writes:
gdt> It's not clear that 'krb524d -m' is supposed to read the master key
gdt> from the keyboard, or if that is instruction to use the master key
gdt> rather than the keytab. However, it seems not right that one could
gdt> only use krb524d with a stash file. I would suggest that among all
gdt> the programs that need the master key, '-m' be uniformly treated as
gdt> reading the master key from the keyboard.
gdt> Here's my patch, which surely breaks those with stash files.
[...]
It would appear that your patch would force the master key to be read
from the keyboard, regardless of whether a stash file was intended.
I believe the intent of "-m" as opposed to "-k" is to cause the
krb524d to use the principal database instead of using a keytab.
Adding an additional flag to specify that the master key is to be read
from the keyboard might not be a bad idea, and the inability of
krb524d to read the master key from the keyboard is arguably a bug.
It's unfortunate that the "-m" flag means something different to the
krb524d than to krb5kdc, or to other KDC daemons. I might attribute
this discrepancy to the separate origin of krb524d, perhaps.
Does anyone else have opinions on whether "krb524d -m" should be
aligned with the other KDC daemons in terms of forcing it to read the
master key from the keyboard? The alternative would be to preserve
the "-m" flag with its current meaning, and to add an additional flag
to mean "read master key from keyboard".
---Tom
More information about the Kerberos
mailing list