Hi!
This whole thread contains a lot of really good information. Is this all
documented in a good way (preferrably with examples) somewhere? If so,
pointer please. If not, can it please be?
Cheers,
/Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc. ! E-mail: [email protected]
# Senior Systems Specialist ! Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm ! http://www.netnod.se/
#----------------------------------------------------------------------
[email protected]:
> On 3/14/2017 3:57 PM, Nico Williams wrote:
>> On Tue, Mar 14, 2017 at 03:54:36PM -0700, Adam Lewenberg wrote:
>>> If you use a master key and you back up all your files _except_ the master
>>> key to some remote location, wouldn't that suffice to protect the database
>>> in that remote location?
>>
>> No. The problem is that the master key is not used to bind principal
>> keys to principal records. This means that a backup operator could give
>> you back a dump where a user's keys are pasted into the krbtgt
>> principal(s), and if you load this dump that user will now be able to
>> mint tickets for any service as any user. (You might notice this
>> attack, but probably not in time to stop it.)
>>
>> Nico
> I see.
> If I trust the backup operator (e.g., it's me), then it still might be
> useful as at the very least it makes it harder for anyone who runs
> across the database file to guess the passwords. On the other hand,
> encrypting the entire file before backup, as you suggest, accomplishes
> this _and_ removes the concern of getting back a compromised database.
> Thanks for the enlightenment.
> Adam Lewenberg
