Remembering Master Password

[Henry B. Hotz]

On Sep 23, 2006, at 9:05 AM, kerberos-request at mit.edu wrote:

> Date: Sat, 23 Sep 2006 08:42:51 CDT
> From: John Hascall <john at iastate.edu>
> Subject: Re: Remembering Master Password
> To: "Jason C. Wells" <jcw at highperformance.net>
> Cc: kerberos at mit.edu
> Message-ID: <200609231342.IAA03158 at malison.ait.iastate.edu>
>
>
>> In big bold letters we are warned to "NOT FORGET" the password to the
>> database.  For years I have kept my password faithfully documented  
>> and I
>> have _never_ used it.  Why do I need to remember my database master
>> password?
>
>    You have two options with your master password.  One is to keep
>    a copy on disk (what you seem to have done) and the other is to
>    be prompted for it each time the KDC starts.  In any event if you
>    forget (and lose the file with) the master password your KDC DB
>    is useless as it can not be decrypted to be used.
>
>> Can I randomize the database master password similar to using - 
>> randkey
>> on my service principals?
>
>    I don't think I've seen a procedure documented to do that,
>    if you really want to do that, I'd try it on a test realm
>    first for sure!
>
> John

Heimdal uses a standard keytab file for the master password.  In  
Heimdal kadmin you can do:

add -r M/K
del_enc M/K <all encryption types except the one you want>
ext_key -k <master key stash location> M/K
delete M/K

Heimdal also supports multiple master key versions in the keytab, and  
can re-encrypt the database with a new master key by doing hprop -- 
encrypt --stdout | hpropd --stdin.

If someone wanted to add those features to MIT I'm sure they would  
like the contribution.

------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu