Recreating Master Key

Mike Friedman mikef at ack.Berkeley.EDU
Mon Feb 3 18:14:12 EST 2003

On Mon Feb  3 14:55:07 2003, Marcus Watts said:

>> What do you do when the angry Kerberos Admin leaves the company?  Can
>> you Dump the DB, Recreateit with a new Master Key then Restore?
> The master key does 2 things:
> 	encrypt the database proper
> 	most likely serves as secret used in random number entropy
> In particular, the master key
> 	does *NOT* participate in any form of active on-the-wire authentication
> 		or authorization.
> Hopefully you have a stash file with the master key, and weren't relying
> on your old angry kerberos administrator to restart the database by hand
> each time the machine crashed.  If you were, your best resort is probably
> the court system.


But the key still has been compromised, even though you can use it (in this
case, the former admin presumably knows the password).  So there's still a
good reason to have the means for changing the master key.

> However, if you wanted to encrypt under a different master key, you could
> certainly dump and restore the database, and use that to change the master
> key.  Looks like the "-mkey_convert" option to dump can do just this.  At
> one point, there was some issue that dump/restore didn't actually save
> *everything* - hopefully that's fixed now.

There was a patch for 1.2.5 that was supposed to fix it.  I just installed
1.2.7 on my test KDC and was pleased to see that the patch has, indeed, been
incorporated.  But I haven't had a chance to try it.  For me, on 1.2.5 without
the patch, the (undocumented) "-mkey_convert" option of kdb5_util actually
core dumped (if I remember correctly).  I was going to test the patch and
never got around to it.  Now I'm hoping to test the feature with 1.2.7 to
see if it really works.



Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley

More information about the Kerberos mailing list