need project review
Will Fiveash
William.Fiveash at sun.com
Mon Apr 7 14:48:55 EDT 2008
On Fri, Apr 04, 2008 at 03:18:57PM -0500, Nicolas Williams wrote:
> On Fri, Apr 04, 2008 at 03:00:41PM -0500, Nicolas Williams wrote:
> > IMO we should deprecate stash files altogether. That should make this
> > issue go away -- what's the point of having a stash file if nothing will
> > read it?
>
> I should clarify. I think that the only thing that reads stash files
> should be the tool that migrates them to keytab file entries. That
> could be built-in to krb5kdc and kadmind, or it could be a standalone
> tool. Either way the stash file should be read once, migrated, and
> removed or ignored thereafter.
The design does not auto-migrate the stash file to a keytab format. The
idea is that the KDC daemons will be able to read an older format stash
file. Only when the admin runs a kdb5_util command that modifies the
masterkey stash will the format change (along with a new masterkey being
stored). I'm assuming that the old masterkey does not need to be saved
since this does not happen with the current stash code.
--
Will Fiveash
Sun Microsystems Office x64079/512-401-1079
Austin, TX, 78727 (TZ=CST6CDT), USA
More information about the krbdev
mailing list