need project review

Will Fiveash William.Fiveash at
Mon Apr 7 14:48:55 EDT 2008

On Fri, Apr 04, 2008 at 03:18:57PM -0500, Nicolas Williams wrote:
> On Fri, Apr 04, 2008 at 03:00:41PM -0500, Nicolas Williams wrote:
> > IMO we should deprecate stash files altogether.  That should make this
> > issue go away -- what's the point of having a stash file if nothing will
> > read it?
> I should clarify.  I think that the only thing that reads stash files
> should be the tool that migrates them to keytab file entries.  That
> could be built-in to krb5kdc and kadmind, or it could be a standalone
> tool.  Either way the stash file should be read once, migrated, and
> removed or ignored thereafter.

The design does not auto-migrate the stash file to a keytab format.  The
idea is that the KDC daemons will be able to read an older format stash
file.  Only when the admin runs a kdb5_util command that modifies the
masterkey stash will the format change (along with a new masterkey being
stored).  I'm assuming that the old masterkey does not need to be saved
since this does not happen with the current stash code.

Will Fiveash
Sun Microsystems               Office x64079/512-401-1079
Austin, TX, 78727              (TZ=CST6CDT), USA

More information about the krbdev mailing list