question about modifying master_key_type

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jun 23 10:23:24 EDT 2005


>I did a little digging but was unable to determine if it was possible to
>change the master_key_type kdc.conf parameter to another enctype and
>then modify an existing principal DB to protect the existing principal
>keys using the new master key.  If this is possible, how does one go
>about it?

I tried it once.  It turns out there are a number of barriers:

- There's no tool to do it.
- If you write a tool, you will discover that the master key enctype is
  (inexplicitly) used as the enctype for the history key.

At that point I gave up, but there may be more problems.

--Ken


More information about the Kerberos mailing list