On Sep 23, 2006, at 9:05 AM, [EMAIL PROTECTED] wrote: > Date: Sat, 23 Sep 2006 08:42:51 CDT > From: John Hascall <[EMAIL PROTECTED]> > Subject: Re: Remembering Master Password > To: "Jason C. Wells" <[EMAIL PROTECTED]> > Cc: kerberos@mit.edu > Message-ID: <[EMAIL PROTECTED]> > > >> In big bold letters we are warned to "NOT FORGET" the password to the >> database. For years I have kept my password faithfully documented >> and I >> have _never_ used it. Why do I need to remember my database master >> password? > > You have two options with your master password. One is to keep > a copy on disk (what you seem to have done) and the other is to > be prompted for it each time the KDC starts. In any event if you > forget (and lose the file with) the master password your KDC DB > is useless as it can not be decrypted to be used. > >> Can I randomize the database master password similar to using - >> randkey >> on my service principals? > > I don't think I've seen a procedure documented to do that, > if you really want to do that, I'd try it on a test realm > first for sure! > > John
Heimdal uses a standard keytab file for the master password. In Heimdal kadmin you can do: add -r M/K del_enc M/K <all encryption types except the one you want> ext_key -k <master key stash location> M/K delete M/K Heimdal also supports multiple master key versions in the keytab, and can re-encrypt the database with a new master key by doing hprop -- encrypt --stdout | hpropd --stdin. If someone wanted to add those features to MIT I'm sure they would like the contribution. ------------------------------------------------------------------------ ---- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos