Remembering Master Password

Jeffrey Hutzelman jhutz at cmu.edu
Wed Sep 27 16:38:08 EDT 2006



On Wednesday, September 27, 2006 01:26:22 PM -0700 "Henry B. Hotz" 
<hotz at jpl.nasa.gov> wrote:

>
> On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
>
>>
>>
>> On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
>> <hotz at jpl.nasa.gov> wrote:
>>
>>> Heimdal uses a standard keytab file for the master password.  In
>>> Heimdal kadmin you can do:
>>>
>>> add -r M/K
>>> del_enc M/K <all encryption types except the one you want>
> mod --kvno==<desired next version #> M/K  ;-)
>>> ext_key -k <master key stash location> M/K
>>> delete M/K
>>
>> You can, but if you do that multiple times, you'll end up with
>> multiple keys with the same kvno.  Since Heimdal records for each
>> record the version of the master key that was used to encrypt it
>> (if any), it can handle multiple keys and do a gradual transition.
>> But that won't work if you keep reusing the same version.
>>
>> Also, that's rather convoluted compared to
>>
>> ktutil add -r -p M/K
>
> So it is.  You can't delete it from the master DB afterwards with
> ktutil, but I guess you're advocating just leaving it there so you  don't
> have to track the version number yourself?

'ktutil add' doesn't talk to the server at all; it only manipulates the 
keytab.  So, the entry never gets added to the database.



More information about the Kerberos mailing list