Master key migration and the stash command

Greg Hudson ghudson at MIT.EDU
Mon Jun 21 17:07:57 EDT 2010

On Mon, 2010-06-14 at 15:58 -0400, Will Fiveash wrote:
> Is this something that should be revisited for the 1.9 release?  Note
> that the lack of a stash command in the kdb5_ldap_util is an issue for
> some as well.

I fixed "kdb5_util stash" to work against LDAP databases; it was a very
simple bug.  I tagged the fix for 1.8.3; it could also go easily into
releases as early as (I think) 1.6.

Possible remaining improvements include:

  * Make it possible to use "kdb5_util stash" before a KDB exists, and
make "kdb5_util create" recognize and use the stash file.  I'm no longer
sure this is worth the effort.  It would make the creation of slave KDCs
appear slightly more elegant in some deployment scenarios, but not
actually any more correct (the initial KDB contents are overwritten by
the kdb5_util load regardless).  It might also be more work than I had

  * When the KDB is present but a valid stash file is not, make
"kdb5_util stash" examine the K/M record to deduce the master key type.
This is not completely trivial to implement, and only helps in uncommon
deployment scenarios, so I will defer it for now.

More information about the krbdev mailing list