Recreating Master Key

Mike Friedman mikef at ack.Berkeley.EDU
Mon Feb 3 18:14:12 EST 2003 

On Mon Feb  3 14:55:07 2003, Marcus Watts said:

>> What do you do when the angry Kerberos Admin leaves the company?  Can
>> you Dump the DB, Recreateit with a new Master Key then Restore?
> 
> The master key does 2 things:
> 	encrypt the database proper
> 	most likely serves as secret used in random number entropy
> In particular, the master key
> 	does *NOT* participate in any form of active on-the-wire authentication
> 		or authorization.
> Hopefully you have a stash file with the master key, and weren't relying
> on your old angry kerberos administrator to restart the database by hand
> each time the machine crashed.  If you were, your best resort is probably
> the court system.

Marcus,

But the key still has been compromised, even though you can use it (in this
case, the former admin presumably knows the password).  So there's still a
good reason to have the means for changing the master key.

> However, if you wanted to encrypt under a different master key, you could
> certainly dump and restore the database, and use that to change the master
> key.  Looks like the "-mkey_convert" option to dump can do just this.  At
> one point, there was some issue that dump/restore didn't actually save
> *everything* - hopefully that's fixed now.

There was a patch for 1.2.5 that was supposed to fix it.  I just installed
1.2.7 on my test KDC and was pleased to see that the patch has, indeed, been
incorporated.  But I haven't had a chance to try it.  For me, on 1.2.5 without
the patch, the (undocumented) "-mkey_convert" option of kdb5_util actually
core dumped (if I remember correctly).  I was going to test the patch and
never got around to it.  Now I'm hoping to test the feature with 1.2.7 to
see if it really works.

Thanks.

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------

More information about the Kerberos mailing list