On Mon Feb 3 14:55:07 2003, Marcus Watts said: >> What do you do when the angry Kerberos Admin leaves the company? Can >> you Dump the DB, Recreateit with a new Master Key then Restore? > > The master key does 2 things: > encrypt the database proper > most likely serves as secret used in random number entropy > In particular, the master key > does *NOT* participate in any form of active on-the-wire authentication > or authorization. > Hopefully you have a stash file with the master key, and weren't relying > on your old angry kerberos administrator to restart the database by hand > each time the machine crashed. If you were, your best resort is probably > the court system.
Marcus, But the key still has been compromised, even though you can use it (in this case, the former admin presumably knows the password). So there's still a good reason to have the means for changing the master key. > However, if you wanted to encrypt under a different master key, you could > certainly dump and restore the database, and use that to change the master > key. Looks like the "-mkey_convert" option to dump can do just this. At > one point, there was some issue that dump/restore didn't actually save > *everything* - hopefully that's fixed now. There was a patch for 1.2.5 that was supposed to fix it. I just installed 1.2.7 on my test KDC and was pleased to see that the patch has, indeed, been incorporated. But I haven't had a chance to try it. For me, on 1.2.5 without the patch, the (undocumented) "-mkey_convert" option of kdb5_util actually core dumped (if I remember correctly). I was going to test the patch and never got around to it. Now I'm hoping to test the feature with 1.2.7 to see if it really works. Thanks. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
