master and n-slaves, stash file and LDAP backend in an automated environment

Greg Hudson ghudson at mit.edu
Tue Jun 28 11:14:47 EDT 2016


On 06/28/2016 09:58 AM, Diogenes S. Jesus wrote:
> That said, what's the role of the stash file in this scenario? To decrypt
> krbPrincipalKey LDAP attribute?

Yes.  Keys in an LDAP KDB are encrypted in the master key just like keys
in a DB2 KDB.  The idea is that if the Kerberos data in the LDAP
database isn't securely backed up or is otherwise exposed, the keys are
still protected.  (The level of protection may not be great because an
offline dictionary attack against the master password is possible using
any of the encrypted keys.)

The master key is not used in kprop or iprop replication.

> If then, all KDCs, regardless of being slave or not, must have the same
> stash file - then comes the question: what's the best practice when
> spawning new kdcs to retrieve the one shared stash? I think I may have the
> answer already - use wallet file object, for example, but any
> idea/experience in the area would help.

You can independently create the stash file on the slave using the
master password (either with kdb5_util create or kdb5_util stash), but
it's probably more common to securely copy the stash file around using
wallet or scp or whatever, yes.


More information about the Kerberos mailing list