Remembering Master Password
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Sep 27 16:38:08 EDT 2006
On Wednesday, September 27, 2006 01:26:22 PM -0700 "Henry B. Hotz"
<hotz at jpl.nasa.gov> wrote:
>
> On Sep 27, 2006, at 11:10 AM, Jeffrey Hutzelman wrote:
>
>>
>>
>> On Wednesday, September 27, 2006 08:52:52 AM -0700 "Henry B. Hotz"
>> <hotz at jpl.nasa.gov> wrote:
>>
>>> Heimdal uses a standard keytab file for the master password. In
>>> Heimdal kadmin you can do:
>>>
>>> add -r M/K
>>> del_enc M/K <all encryption types except the one you want>
> mod --kvno==<desired next version #> M/K ;-)
>>> ext_key -k <master key stash location> M/K
>>> delete M/K
>>
>> You can, but if you do that multiple times, you'll end up with
>> multiple keys with the same kvno. Since Heimdal records for each
>> record the version of the master key that was used to encrypt it
>> (if any), it can handle multiple keys and do a gradual transition.
>> But that won't work if you keep reusing the same version.
>>
>> Also, that's rather convoluted compared to
>>
>> ktutil add -r -p M/K
>
> So it is. You can't delete it from the master DB afterwards with
> ktutil, but I guess you're advocating just leaving it there so you don't
> have to track the version number yourself?
'ktutil add' doesn't talk to the server at all; it only manipulates the
keytab. So, the entry never gets added to the database.
More information about the Kerberos
mailing list