Upgrading from DES with 1.6.1 on RHEL5

Greg Hudson ghudson at MIT.EDU
Mon Jul 1 11:57:17 EDT 2013


On 07/01/2013 11:29 AM, Edgecombe, Jason wrote:
> I'm reading http://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/retiring-des.html
> 
> I wanted to ask if I can follow this procedure with my older MIT Kerberos KDC running krb5-server-1.6.1-70.el5.

I think you can follow most of it, but it does rely on a few newer features.

kadmin purgekeys command was added in 1.9, which makes it hard to get
rid of the old krbtgt key after use "cpw -randkey -keepold" to make a
new one.  You can get rid of the old key using dump and load with some
dumpfile surgery, or you can schedule a time to invalidate all existing
tickets and use cpw without -keepold on the krbtgt entry.

kdb5_util add_mkey/use_mkey/update_princ_encryption were added in 1.7.
It is possible to migrate the master key using "kdb5_util dump
-mkey_convert", but there are some pitfalls, so it is probably simplest
to just leave the old master key in place until you can upgrade krb5.
The master key is not used for any data which passes over the network.



More information about the Kerberos mailing list