All (pun intended!),
On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote:
>> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
>> having all rights on the database is unable to extract keytabs:
n...@cryptonector.com:
> This is on purpose.
> We decided that it w
Nico Williams writes:
> We do need better key mgmt support though. It'd nice to have automatic
> rekeying and expunging of keys too old to be needed for decrypting
> extant live tickets.
Yes, please, or I will inflict my hideous shell script on you that does
this (using wallet).
--
Russ Allbe
On Tue, Jun 27, 2017 at 05:44:25PM -0700, Russ Allbery wrote:
> Jeffrey Hutzelman writes:
> > ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract
> > anything; it generates a new key with a new kvno and stores it in both
> > the keytab and the kdb. MIT kadmind, going back as f
Jeffrey Hutzelman writes:
> ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract
> anything; it generates a new key with a new kvno and stores it in both
> the keytab and the kdb. MIT kadmind, going back as far as krb4, didn't
> even have an operation to fetch existing keys fr
On Tue, 2017-06-27 at 16:42 -0700, Henry B (Hank) Hotz, CISSP wrote:
> >
> > On Jun 27, 2017, at 4:23 PM, Nico Williams
> > wrote:
> >
> > We decided that it was never a good idea for "all" to have meant
> > "extract keys", because in general that's not desirable.
> How is extracting keys differ
> On Jun 27, 2017, at 4:23 PM, Nico Williams wrote:
>
> We decided that it was never a good idea for "all" to have meant
> "extract keys", because in general that's not desirable.
How is extracting keys different from extracting a keytab (with the keys inside
it)?
Personal email. hbh...@oxy.
On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote:
> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
> having all rights on the database is unable to extract keytabs:
This is on purpose.
We decided that it was never a good idea for "all" to have meant
"extra
I’m with Love’s comment. Sounds like we did something different for some reason?
Sounds like the current behavior is confusing, and therefore wrong, but I’ll
have to make sure I understand it.
I don’t think being able to get passwords is a different privilege from getting
keys. Getting keytabs