need project review

Jeffrey Hutzelman jhutz at
Mon Apr 7 17:38:43 EDT 2008

--On Monday, April 07, 2008 02:42:15 PM -0500 Nicolas Williams 
<Nicolas.Williams at> wrote:

> On Mon, Apr 07, 2008 at 08:28:10PM +0100, Tim Alsop wrote:
>> In addition - if you store old master keys in a keytab they are
>> potentially open to attack, so better to store as key material in the db
> No different than when they were in the stash file.
> Of course, ideally you could have the KDC implemented so no long term
> key material ever leaves a hardware token.  I used to be a fan of that
> until I realized that that would mean putting so much of the KDC
> implementation in the token that it may not be worthwhile.  Instead
> folks should minimize the network footprint of their KDCs and provide
> extra physical security for them.

We settled on a compromise.  Of course, we do minimize the network 
footprint and provide additional physical security, including cameras and 
locked cabinets.  However, we also modified the KDC (Heimdal, in our case) 
so that it never knows the master key, and instead all encryption 
operations using that key are done by a separate process (the master key 
daemon).  The separation is mostly for convenience (the KDC and mkeyd run 
as the same user), as it means that only one process needs to know the key, 
and the others can be restarted at will (before we did this, starting up 
the master KDC required typing the master password 3 or 4 times).  We also 
arranged for the contents of the stash file to be encrypted in a set of 
keys which live on smartcards, so to "unlock" the KDC and allow it to start 
functioning, an administrator must be physically present with a smartcard 
and a PIN.

-- Jeff

More information about the krbdev mailing list