Best (or recommended) practices for updating and modifying encryption types supported on all principals?
Will Fiveash
will.fiveash at oracle.com
Thu Apr 12 16:58:13 EDT 2012
On Thu, Apr 12, 2012 at 08:52:27AM -0700, Russ Allbery wrote:
> "Martin B. Smith" <smithmb at ufl.edu> writes:
>
> > That all being said, what is the recommended way to adjust the supported
> > encryption types for every principal in our KDB? So far, I see the main
> > option being dump and load using kdb5_util. Is there an even better way?
>
> Change the configured supported encryption types and then have everyone
> change their password.
>
> The Kerberos KDC doesn't store the password, only the keys, so to change
> the encryption types available for those keys, you generally have to force
> people to change their passwords. A lot of sites, when faced with a mass
> migration, add code to some authentication choke point (such as a central
> web authentication server) and quietly do a "password change" to the same
> password behind the scenes when users log in.
>
> Dumping and loading with kdb5_util will not help.
Right. Note that if one wants to change (renew, change enctype) the key
used to encrypt princ keys in the KDB (also known as the master key),
then check out the kdb5_util add_mkey, use_mkey,
update_princ_encryption, etc... sub-commands. But to reiterate, this
will not change the enctype of the princ's keys.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the Kerberos
mailing list