On Tue, 2017-06-27 at 16:42 -0700, Henry B (Hank) Hotz, CISSP wrote: > > > > On Jun 27, 2017, at 4:23 PM, Nico Williams <n...@cryptonector.com> > > wrote: > > > > We decided that it was never a good idea for "all" to have meant > > "extract keys", because in general that's not desirable. > How is extracting keys different from extracting a keytab (with the > keys inside it)?
ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract anything; it generates a new key with a new kvno and stores it in both the keytab and the kdb. MIT kadmind, going back as far as krb4, didn't even have an operation to fetch existing keys from the database; that was considered an exceptionally dangerous ability and not really necessary. Heimdal initially took a different approach, which is still what ext_keytab does by default, for backward compatibility and to avoid unpleasantly-surprising results. With -r, it randomizes the key instead, which is safer. Note that ext_keytab without -r will not work if you don't have the get-keys privilege. I have patches going back as far as Heimdal 0.6 which make get-keys a separate privilege not included in 'all'. I didn't write the change that eventually made it into Heimdal, but I certainly agree with it. -- Jeff