need project review

Will Fiveash William.Fiveash at sun.com
Mon Apr 7 14:43:29 EDT 2008 

On Fri, Apr 04, 2008 at 11:20:17AM -0400, Jeffrey Hutzelman wrote:
> --On Thursday, April 03, 2008 07:47:41 PM -0500 Will Fiveash 
> <William.Fiveash at sun.com> wrote:
>
>> The KDC must be able to access the most recent master key in the
>> masterkey keytab given a principal name
>
> I'm afraid this doesn't make sense to me.  What does a principal name have 
> to do with retrieving the master key?  While a copy of the master key is by 
> convention stored in the KDB as the keys for a particular principal, and 
> the same convention might be followed here, the master key does not have a 
> "principal name".

As you point out currently the masterkey in the stash file is the same
as the key associated with the K/M principal.  Given krb5_kt_get_entry()
and krb5_kt_add_entry() will be used to access and modify the masterkey
keytab and require a principal argument, my thought is that the
krb5_db_def_fetch_mkey and krb5_def_store_mkey() will use the K/M
principal name as the argument to the krb5_kt*_entry() functions.

> I think it is important that storing a new master key version be done 
> safely, such that failure does not result in the old stash file being 
> destroyed, even if it was old format.  Further, it might be argued that 
> attempting to add a new master key to an old-format stash file should 
> result in a keytab containing both the previous key and the newly-added 
> one.

How about I modify the design to create a temp masterkey keytab and then
moving it to it's standard filename?

> IMHO there needs to be a tool to convert back to the old stash format. 
> Managing a transition is much harder when you can't back out the change if 
> there is a problem.

Understand that I am not proposing that upgrading the KDC code will
automagically change the stash file format.  The stash file format will
only be changed if the admin runs one of the kdb5_util commands that
overwrites the stash file.  At that point the stash file format will
change to that of a keytab.

Note I'm assuming an admin will backup the stash file or know the
password used to generate the masterkey.

-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/

More information about the krbdev mailing list