Master key migration and the stash command

Will Fiveash will.fiveash at oracle.com
Mon Jun 21 18:44:05 EDT 2010


On Mon, Jun 21, 2010 at 05:07:57PM -0400, Greg Hudson wrote:
> On Mon, 2010-06-14 at 15:58 -0400, Will Fiveash wrote:
> > Is this something that should be revisited for the 1.9 release?  Note
> > that the lack of a stash command in the kdb5_ldap_util is an issue for
> > some as well.
> 
> I fixed "kdb5_util stash" to work against LDAP databases; it was a very
> simple bug.  I tagged the fix for 1.8.3; it could also go easily into
> releases as early as (I think) 1.6.

Thanks Greg, that addresses the issue a customer was having.

> Possible remaining improvements include:
> 
>   * Make it possible to use "kdb5_util stash" before a KDB exists, and
> make "kdb5_util create" recognize and use the stash file.  I'm no longer
> sure this is worth the effort.  It would make the creation of slave KDCs
> appear slightly more elegant in some deployment scenarios, but not
> actually any more correct (the initial KDB contents are overwritten by
> the kdb5_util load regardless).  It might also be more work than I had
> anticipated.
> 
>   * When the KDB is present but a valid stash file is not, make
> "kdb5_util stash" examine the K/M record to deduce the master key type.
> This is not completely trivial to implement, and only helps in uncommon
> deployment scenarios, so I will defer it for now.

I don't have a problem with that.

-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/



More information about the krbdev mailing list