Automatically randomizing principal keys (in preauth plugin)
ghudson at MIT.EDU
Thu Mar 24 13:05:26 EDT 2011
On Thu, 2011-03-24 at 12:45 -0400, Yair Yarom wrote:
> Thanks for the detailed reply.
> 1. Is there a way to get the master key (and some salts) from the kdc?
> my current method (more or less copied from
> kdb5_util.c:add_random_key) is to call krb5_db_setup_mkey_name,
> krb5_read_realm_params and krb5_db_fetch_mkey. But if the kdc was
> started with special parameters, this might not work properly.
Unfortunately for your purposes, I'm not sure there's a better way. A
copy of the master key list is held in the DAL handle, but there's no
function to access it. Prior to krb5 1.9 you could call
krb5_db_get_mkey_list(), but that's been removed.
There are provisions to allow plugins to decrypt key data by passing a
null master key list, but no allowances made for plugins which want to
encrypt key data.
> 2. The database isn't updated. I actually prefer that the database won't
> be updated, but then I wonder how does it work? I.e. the kdc appears
> to find the client key, but just until the next 'kinit' where the
> plugin randomizes a new key (as it can't find one).
You're modifying the in-memory database record handed to you by the KDC
code, and the modified record continues to be used by the KDC.
More information about the krbdev