need project review

Will Fiveash William.Fiveash at
Mon Apr 7 14:43:29 EDT 2008

On Fri, Apr 04, 2008 at 11:20:17AM -0400, Jeffrey Hutzelman wrote:
> --On Thursday, April 03, 2008 07:47:41 PM -0500 Will Fiveash 
> <William.Fiveash at> wrote:
>> The KDC must be able to access the most recent master key in the
>> masterkey keytab given a principal name
> I'm afraid this doesn't make sense to me.  What does a principal name have 
> to do with retrieving the master key?  While a copy of the master key is by 
> convention stored in the KDB as the keys for a particular principal, and 
> the same convention might be followed here, the master key does not have a 
> "principal name".

As you point out currently the masterkey in the stash file is the same
as the key associated with the K/M principal.  Given krb5_kt_get_entry()
and krb5_kt_add_entry() will be used to access and modify the masterkey
keytab and require a principal argument, my thought is that the
krb5_db_def_fetch_mkey and krb5_def_store_mkey() will use the K/M
principal name as the argument to the krb5_kt*_entry() functions.

> I think it is important that storing a new master key version be done 
> safely, such that failure does not result in the old stash file being 
> destroyed, even if it was old format.  Further, it might be argued that 
> attempting to add a new master key to an old-format stash file should 
> result in a keytab containing both the previous key and the newly-added 
> one.

How about I modify the design to create a temp masterkey keytab and then
moving it to it's standard filename?

> IMHO there needs to be a tool to convert back to the old stash format. 
> Managing a transition is much harder when you can't back out the change if 
> there is a problem.

Understand that I am not proposing that upgrading the KDC code will
automagically change the stash file format.  The stash file format will
only be changed if the admin runs one of the kdb5_util commands that
overwrites the stash file.  At that point the stash file format will
change to that of a keytab.

Note I'm assuming an admin will backup the stash file or know the
password used to generate the masterkey.

Will Fiveash
Sun Microsystems Inc.

More information about the krbdev mailing list