Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege" (Corrected)

2017-06-29 Thread Henry B (Hank) Hotz, CISSP
> On Jun 29, 2017, at 12:45 PM, Nico Williams wrote: > > On Thu, Jun 29, 2017 at 11:41:41AM -0700, Henry B (Hank) Hotz, CISSP wrote: >>> On Jun 28, 2017, at 8:11 AM, Nico Williams wrote: >>> On Wed, Jun 28, 2017 at 07:28:59AM +0200, Lars-Johan

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-29 Thread Henry B (Hank) Hotz, CISSP
> On Jun 29, 2017, at 12:45 PM, Nico Williams wrote: > > On Thu, Jun 29, 2017 at 11:41:41AM -0700, Henry B (Hank) Hotz, CISSP wrote: >>> On Jun 28, 2017, at 8:11 AM, Nico Williams wrote: >>> On Wed, Jun 28, 2017 at 07:28:59AM +0200, Lars-Johan

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-28 Thread Chaskiel Grundman
I have a toolset deployed at Carnegie Mellon that attempts to address some of these problems (automatic rekeying of services and purging of old keys from keytabs). https://github.com/cg2v/krb-rekey The protocol is probably too cute and non-standard for people to want to use, and there isn't

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-28 Thread Jeffrey Altman
On 6/28/2017 1:17 AM, Russ Allbery wrote: > Nico Williams writes: > >> We do need better key mgmt support though. It'd nice to have automatic >> rekeying and expunging of keys too old to be needed for decrypting >> extant live tickets. > > Yes, please, or I will inflict

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Russ Allbery
Nico Williams writes: > We do need better key mgmt support though. It'd nice to have automatic > rekeying and expunging of keys too old to be needed for decrypting > extant live tickets. Yes, please, or I will inflict my hideous shell script on you that does this (using

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Russ Allbery
Jeffrey Hutzelman writes: > ext_keytab is poorly-named. In MIT Kerberos, it doesn't actually extract > anything; it generates a new key with a new kvno and stores it in both > the keytab and the kdb. MIT kadmind, going back as far as krb4, didn't > even have an operation to fetch

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Jeffrey Hutzelman
On Tue, 2017-06-27 at 16:42 -0700, Henry B (Hank) Hotz, CISSP wrote: > > > > On Jun 27, 2017, at 4:23 PM, Nico Williams > > wrote: > > > > We decided that it was never a good idea for "all" to have meant > > "extract keys", because in general that's not desirable. > How

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Henry B (Hank) Hotz, CISSP
> On Jun 27, 2017, at 4:23 PM, Nico Williams wrote: > > We decided that it was never a good idea for "all" to have meant > "extract keys", because in general that's not desirable. How is extracting keys different from extracting a keytab (with the keys inside it)?

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Nico Williams
On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote: > Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal > having all rights on the database is unable to extract keytabs: This is on purpose. We decided that it was never a good idea for "all" to have meant

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Henry B (Hank) Hotz, CISSP
I’m with Love’s comment. Sounds like we did something different for some reason? Sounds like the current behavior is confusing, and therefore wrong, but I’ll have to make sure I understand it. I don’t think being able to get passwords is a different privilege from getting keys. Getting keytabs