need project review
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Apr 7 17:38:43 EDT 2008
--On Monday, April 07, 2008 02:42:15 PM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Mon, Apr 07, 2008 at 08:28:10PM +0100, Tim Alsop wrote:
>> In addition - if you store old master keys in a keytab they are
>> potentially open to attack, so better to store as key material in the db
>
> No different than when they were in the stash file.
>
> Of course, ideally you could have the KDC implemented so no long term
> key material ever leaves a hardware token. I used to be a fan of that
> until I realized that that would mean putting so much of the KDC
> implementation in the token that it may not be worthwhile. Instead
> folks should minimize the network footprint of their KDCs and provide
> extra physical security for them.
We settled on a compromise. Of course, we do minimize the network
footprint and provide additional physical security, including cameras and
locked cabinets. However, we also modified the KDC (Heimdal, in our case)
so that it never knows the master key, and instead all encryption
operations using that key are done by a separate process (the master key
daemon). The separation is mostly for convenience (the KDC and mkeyd run
as the same user), as it means that only one process needs to know the key,
and the others can be restarted at will (before we did this, starting up
the master KDC required typing the master password 3 or 4 times). We also
arranged for the contents of the stash file to be encrypted in a set of
keys which live on smartcards, so to "unlock" the KDC and allow it to start
functioning, an administrator must be physically present with a smartcard
and a PIN.
-- Jeff
More information about the krbdev
mailing list