Package: heimdal-kdc
Version: 7.4.0.dfsg.1-1
Severity: normal
Dear maintainer,
heimdal-kdc.postinst runs kstash(8) to generate a master key. This key
is written to /var/lib/heimdal-kdc/m-key. However, kadmin(8) and kdc(8)
try to read the master key from /var/lib/heimdal-kdc/heimdal.mkey
(strace confirms the comment in kdc.conf). I'm not certain but it seems
the result is the database is silently stored unencrypted.
I was about to suggest 'kadmin -c /etc/heimdal-kdc/kdc.conf -l stash',
but it seems this also doesn't use DBNAME.mkey as a default! I think
I'll raise that upstream. Not to mention the lack of even a warning when
the mkey file doesn't exist.
A possible solution would be to install the default mkey with an
explicit 'kstash -k /var/lib/heimdal-kdc/heimdal.mkey' (until the
default changes again, anyway).
thanks,
Ryan
