Remembering Master Password
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Sep 27 16:54:30 EDT 2006
On Sep 27, 2006, at 1:38 PM, Jeffrey Hutzelman wrote:
>
> On Wednesday, September 27, 2006 01:26:22 PM -0700 "Henry B. Hotz"
> <hotz at jpl.nasa.gov> wrote:
>>
>> On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
>>>
>>> On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
>>> <hotz at jpl.nasa.gov> wrote:
>>>
>>>> Heimdal uses a standard keytab file for the master password. In
>>>> Heimdal kadmin you can do:
>>>>
>>>> add -r M/K
>>>> del_enc M/K <all encryption types except the one you want>
>> mod --kvno==<desired next version #> M/K ;-)
>>>> ext_key -k <master key stash location> M/K
>>>> delete M/K
>>>
>>> You can, but if you do that multiple times, you'll end up with
>>> multiple keys with the same kvno. Since Heimdal records for each
>>> record the version of the master key that was used to encrypt it
>>> (if any), it can handle multiple keys and do a gradual transition.
>>> But that won't work if you keep reusing the same version.
>>>
>>> Also, that's rather convoluted compared to
>>>
>>> ktutil add -r -p M/K
>>
>> So it is. You can't delete it from the master DB afterwards with
>> ktutil, but I guess you're advocating just leaving it there so
>> you don't
>> have to track the version number yourself?
>
> 'ktutil add' doesn't talk to the server at all; it only manipulates
> the keytab. So, the entry never gets added to the database.
I stand corrected. change or get interact with kadmind.
I'm assuming from your omission that add will look at the existing
kvno's and create the next one?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Kerberos
mailing list