"If you choose to install a stash file..."

Jeffrey Hutzelman jhutz at cmu.edu
Wed Jan 10 19:46:08 EST 2007



On Wednesday, January 10, 2007 02:16:53 PM -0500 Ken Hornstein 
<kenh at cmf.nrl.navy.mil> wrote:

>> In addition to needing to enter a passphrase to launch krb5kdc (with
>> the -m option), it looks like kdb5_util will also need a passphrase,
>> understandably.
>>
>> This means that the traditional cronjob-triggered kprop -> kpropd
>> replication won't work either, right?
>
> Actually, it shouldn't need a passphrase; the dump files contain the
> encrypted keys not the decrypted ones, and that's what kprop/kpropd
> pass around.  I thought that the MIT folks told me that they run without
> a stash file, and I see they have three KDCs.

I can't speak for current code, but several years ago we ran MIT KDC's with 
only the master having a stash file, and propagation worked just fine.

-- Jeff



More information about the Kerberos mailing list