is the master key cached somehow (slave side)?
Benjamin Kaduk
kaduk at MIT.EDU
Wed Jul 2 22:23:53 EDT 2014
On Wed, 25 Jun 2014, Giuseppe Mazza wrote:
> Is it the normal behaviour?
> I thought you should have a valid stash file on place to access the
> database on the slave. Maybe not?
> Or there is some kind of caching?
> Do you know how it works?
The master key is ~only used to encrypt the long-term key information
stored in the database; as such, it is only needed when those keys are to
be accessed for cryptographic operations. Merely copying the database
around does not require the master key. (Still, such copying should be
done over an encrypted connection.)
kprop/kpropd is an "ordinary" (in one sense) kerberized service, using the
host principals of the master and slave KDC machines as the client and
service principals. Since those keys are still in the main krb5.keytab on
both machines when the stash file is moved out of the way, the kpropd
operation succeeds. When the stash file is moved back into place, the new
principal's key and information can be accessed as usual.
-Ben
More information about the Kerberos
mailing list