Master key migration and the stash command

Will Fiveash will.fiveash at oracle.com
Mon Jun 14 15:58:03 EDT 2010


Is this something that should be revisited for the 1.9 release?  Note
that the lack of a stash command in the kdb5_ldap_util is an issue for
some as well.

On Wed, Jan 28, 2009 at 01:53:14PM -0500, Greg Hudson wrote:
> Currently, "kdb5_util stash" does the following:
> 
>   1. Open the database (or fail out)
>   2. (If there is an existing stash file, read in the master key and
>      forget about it; this is odd but unimportant)
>   3. Prompt for the master key
>   4. Verify the entered key against the database (or fail out)
>   5. Write out the stash file
> 
> There are two issues here.  First, you can't stash the password before
> creating the database, which complicates the setup of slave DBs.
> Second, part of the master key migration project plan requires a "sync
> the stash" operation to update the stash file with all master keys.
> (http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration)
> 
> I was thinking of creating a "grand unified stash" command, which
> handles all of the use cases:
> 
>   * If there's a database but no valid stash file, prompt for the
>     master password, use it to retrieve all master keys, and write out
>     a stash file containing all master keys.
> 
>   * If there's a database and a valid stash file, use the stashed
>     master key to retrieve all DB master keys, and write out a stash
>     file containing all master keys.
> 
>   * If there's no database and no stash file, prompt for the master
>     password and stash it without verifying it.
> 
> Does this plan seem reasonable, or would people rather see separate
> kdb_util operations for "prompt and stash" and "update existing
> stash"?
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/



More information about the krbdev mailing list