[krbdev.mit.edu #7994] randkey does not update principal's master key version
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Aug 18 12:34:59 EDT 2014
kadm5_randkey_principal_3 does not call krb5_dbe_update_mkvno after
krb5_dbe_crk, so while it uses the currently active mkvno, it does not
update the principal's metadata to reflect this.
Steps to reproduce:
1. make testrealm
2. kdb5_util add_mkey -s (enter a new master password twice)
3. kdb5_util use_mkey 2
4. kadmin.local -q 'cpw -randkey user' (or alternatively, ktadd)
5. kadmin.local -q 'getprinc user' (erroneously reports "MKey: vno 1")
The keys still decrypt properly in the KDC because we iterate over all
of the master keys trying to decrypt instead of obeying the principal's
mkvno metadata. But at least one operation fails:
6. kdb5_util update_princ_encryption (reports "Decrypt integrity check
failed" on the uesr principal)
More information about the krb5-bugs
mailing list