Forgot Kerberos Master Key

Greg Hudson ghudson at MIT.EDU
Mon Jun 3 12:17:22 EDT 2013


On 06/03/2013 05:04 AM, kannan rbk wrote:
> I forgot kerberos master key but i have key stash file. How can I  get the
> clear text password from the stash file.

The stash file holds a key derived from the master password, but this
derivation is intentionally difficult to reverse.  So, short of a
brute-force attack, you can't get the clear text password back.

You have a few options at this point:

A. Don't worry about not knowing the master password.  As long as you
have the stash file, you should be fine.

B. Transition to a new master key using "kdb5_util dump -mkey_convert"
and "kdb5_util load".  This requires scheduling some downtime.

C. Roll the master key online.  This requires krb5 1.7 or later.  The
steps are:

   1. On the master, run "kdb5_util add_mkey -s" and enter the new
master password.

   2. On the master, run "kdb5_util list_mkeys" and make note of the
kvno of the new master you you just added.  In most cases it will be 2.

   3. Make sure the database has propagated to all slaves.

   4. On each slave, run "kdb5_util stash".  Use "klist -k
/path/to/stashfile" to verify that the KVNO in each stash file matches
the kvno of the new master key.

   5. On the master, run "kdb5_util use_mkey N", where N is the kvno of
the new master key.

   6. On the master, run "kdb5_util update_princ_encryption".

   7. On the master, run "kdb5_util purge_mkeys".



More information about the Kerberos mailing list