question about modifying master_key_type
Will Fiveash
William.Fiveash at sun.com
Thu Jun 23 12:57:02 EDT 2005
On Thu, Jun 23, 2005 at 10:23:24AM -0400, Ken Hornstein wrote:
> >I did a little digging but was unable to determine if it was possible to
> >change the master_key_type kdc.conf parameter to another enctype and
> >then modify an existing principal DB to protect the existing principal
> >keys using the new master key. If this is possible, how does one go
> >about it?
>
> I tried it once. It turns out there are a number of barriers:
>
> - There's no tool to do it.
> - If you write a tool, you will discover that the master key enctype is
> (inexplicitly) used as the enctype for the history key.
>
> At that point I gave up, but there may be more problems.
Yeah, I played around with kdb5_util and came to the same point. It
would be a nice enhancement to provide a simple way to modify a master
key's enctype to a stronger enctype and allow migration of the princ. DB
(and deal with any propagation issues).
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list