Moving Realms

Dr. Greg Wettstein greg at wind.enjellic.com
Wed Mar 19 09:50:30 EST 2003


On Mar 18, 10:01am, Turbo Fredriksson wrote:
} Subject: Re: Moving Realms

> > On Wed, 12 Mar 2003, Sam Hartman wrote:
> >
> > SH>There is no easy way, and the simplest way with the MIT KDC will
> > SH>involve writing a fair bit of code on your part.

> > Howdie Sam,
> > 
> > 	Thanks for the reply. Is there an easy way of dumping the
> > database and then bringing it up on another machine as the primary?
> 
> MOVING it is no problem. But if you're planning on changing the realm 
> in the process, that can't be done...

I was involved in a reasonably large multi-realm KRB5 deployment which
had some degree of mobility of users between realms.  The inability to
painlessly move a user from one authentication realm to another
resulted in less than an ideal management situation.

I had some patches kicking around that stored the raw password value
in the KDC.  If memory serves me correctly the young guy that I had
working on this had stored the value in the TLD (?) list structure
maintained by the KDC.  Our thinking was that if we had that value we
could re-compute the user key when the transition to a new realm
occurred.

	'As an aside to anyone coming in late.  The problem with
	 transitioning a user from one realm to another is that the
	 realm is used as salt in the generation of the user key.
	 That leads to the keys being non-portable between realms.'

I would be interested in what the collective thinking of a strategy
such as this would be?  We crypted the raw password value with the KDC
master key to make sure that the raw password was at least as secure
as the database itself.  My thinking was that if you lose the KDC the
loss of the actual password value itself is probably the least of
one's problems.

The other thing kicking around in my head was to leverage the KDC as a
generic authentication source.  I never got a chance to push the
project as far as I wanted but I was going to nail together a daemon
which ran on the KDC to which applications could pass things like SMB
crypted passwords for verification.  This would allow encrypted SMB
passwords without having to worry about passwords laying around on
multiple servers.

Comments, thought on strategies for the realm migration problem?

Greg

}-- End of excerpt from Turbo Fredriksson

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-4950            WWW: http://www.enjellic.com
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"... then the day came when the risk to remain tight in a bud was more
painful than the risk it took to blossom."
                                -- Anais Nin


More information about the Kerberos mailing list