Automatically randomizing principal keys (in preauth plugin)

[Greg Hudson]

On Thu, 2011-03-24 at 12:45 -0400, Yair Yarom wrote:
> Thanks for the detailed reply. 

> 1. Is there a way to get the master key (and some salts) from the kdc?
>    my current method (more or less copied from
>    kdb5_util.c:add_random_key) is to call krb5_db_setup_mkey_name,
>    krb5_read_realm_params and krb5_db_fetch_mkey. But if the kdc was
>    started with special parameters, this might not work properly.

Unfortunately for your purposes, I'm not sure there's a better way.  A
copy of the master key list is held in the DAL handle, but there's no
function to access it.  Prior to krb5 1.9 you could call
krb5_db_get_mkey_list(), but that's been removed.

There are provisions to allow plugins to decrypt key data by passing a
null master key list, but no allowances made for plugins which want to
encrypt key data.

> 2. The database isn't updated. I actually prefer that the database won't
>    be updated, but then I wonder how does it work? I.e. the kdc appears
>    to find the client key, but just until the next 'kinit' where the
>    plugin randomizes a new key (as it can't find one).

You're modifying the in-memory database record handed to you by the KDC
code, and the modified record continues to be used by the KDC.