f



Changing the database master key

Hello all,

My understanding from previous discussions was that it was not possible to
change the database master key for an MIT Kerberos KDC due to various bits
that are encrypted in the master key.  However, I noticed that the
kdb5_util man page seems to indicate that it can under dump:

    -mkey_convert
           prompts  for  a new master key.  This new master key will
           be used to re-encrypt the key data in the dumpfile.   The
           key data in the database will not be changed.

    -new_mkey_file mkey_file
           the  filename  of  a  stash file.  The master key in this
           stash file will be used to re-encrypt the key data in the
           dumpfile.   The  key  data  in  the  database will not be
           changed.

Those options make it sound like I could use a technique like:

 1. Create a new KDC database in a new location with an AES master key.
 2. Dump the old database using -new_mkey_file pointing at the new stash.
 3. Load the database dump into the new empty database.

and thereby change the database master key.  Is that correct?  Does this
fail for some reason?  Has anyone done this?

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
0
rra9 (667)
8/31/2006 4:23:27 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
635 Views

Similar Articles

[PageSpeed] 2

>My understanding from previous discussions was that it was not possible to
>change the database master key for an MIT Kerberos KDC due to various bits
>that are encrypted in the master key.  However, I noticed that the
>kdb5_util man page seems to indicate that it can under dump:
>
>    -mkey_convert
>           prompts  for  a new master key.  This new master key will
>           be used to re-encrypt the key data in the dumpfile.   The
>           key data in the database will not be changed.
>
>    -new_mkey_file mkey_file
>           the  filename  of  a  stash file.  The master key in this
>           stash file will be used to re-encrypt the key data in the
>           dumpfile.   The  key  data  in  the  database will not be
>           changed.

The problem is that you can change the master key ... but only to another
key of the same enctype.

When I investigated this ... it turns out that while the enctype is
stored in the stash file, none of the code makes use of that.  And
also, the history key enctype is derived from the master key enctype.
Neither of these are insurmountable problems ... but at that point, I
gave up.  Maybe this is fixed in newer versions of MIT Kerberos ...
but I suspect when you try it, it will fail.

--Ken
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
kenh1 (173)
8/31/2006 5:36:31 PM
Reply:

Similar Artilces:

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

krb5kdc: Cannot find master key record in database
Hi I have a Kerberos server that has been running for months with out any problems. Today when I went to log into my kdc machine I had the following error in my logs: May 09 10:47:52 svgauth1 krb5kdc[2451](Error): TGS_REQ: UNKNOWN SERVER: server='krbtgt/VC.LS.CBN@LS.CBN' May 09 10:47:52 svgauth1 krb5kdc[2451](info): TGS_REQ (4 etypes {18 17 16 23}) 172.20.133.141: PROCESS_TGS: authtime 0, <unknown client> for <unknown server>, Server not found in Kerberos database I am using the ldap backend and I checked in LDAP and everything looked ok so I attempted to restart my kdc. My kdc failed to restart with: krb5kdc: Cannot find master key record in database - while fetching master keys list for realm VC.LS.CBN I have the K/M@VC.LS.CBN principal in the ldap directory and it looks ok. Any ideas as to where my problem may be? Can this entry be corrupted some how and not load? I am running the following versions: krb5-1.8.3-45.1 krb5-plugin-kdb-ldap-1.8.3-45.1 krb5-client-1.8.3-45.1 krb5-32bit-1.8.3-45.1 pam-krb5-4.4-1 krb5-server-1.8.3-45.1 Thanks for any insight. Tom Parker ...

Changing the master key
--Apple-Mail-1--884096611 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii =09 We've run into a situation with MIT Kerberos 1.8.2 where the master key = has been changed and yet the slave kdc's are still reporting that the = original master key is being used on new principals. Slave kdc updates are happening via iprop. The master kdc is behaving as expected, and all new principals report = using the new mkey vno. On the master and all slave kdc's, "kdb5_util -list_mkeys" shows that = the new mkey vno is active master key.=20 I have no idea what steps were used to change the master key (not my = infra) and I'm wondering if this situation can be fixed. I've searched for a "Dummies Guide to Changing your MKey" but I've only = found bits and pieces here and there with no real indication of how = slaves enter into the picture. Should they be recreated from scratch = once the master is changed? Any pointers or help appreciated! jd --Apple-Mail-1--884096611-- ...

DataBase DataBase DataBase DataBase
DataBase DataBase DataBase DataBase Porfessional Programmable Database Ver. 2.0 2.1 Million Record Capacity. Search Rate: 2000/Records/Second. DataBase Type: Random Access. Can Create Unlimited Databases. Programmable fields for any Application. Build Time One Second, (Auto Creates DB). Setup Time: Instantly, Just Enter DB Name. Ultra Easy to Learn (Typically 30 Seconds) Ultra Cheap Price, Special $20, Paypal Accepted. Application Mailed Instantly (file Attached Email). Easy Paypal Online Ordering. See Site Below. http://www.vehiclerepair.org/dbPro/dbpro.html Scott: #DataBase DataBase DataBase DataBase .... Porfessional Can it do spell checking ??? ...

DataBase DataBase DataBase DataBase
DataBase DataBase DataBase DataBase Porfessional Programmable Database Ver. 2.0 2.1 Million Record Capacity. Search Rate: 2000/Records/Second. DataBase Type: Random Access. Can Create Unlimited Databases. Programmable fields for any Application. Build Time One Second, (Auto Creates DB). Setup Time: Instantly, Just Enter DB Name. Ultra Easy to Learn (Typically 30 Seconds) Ultra Cheap Price, Special $20, Paypal Accepted. Application Mailed Instantly (file Attached Email). Easy Paypal Online Ordering. See Site Below. http://www.vehiclerepair.org/dbPro/dbpro.html ...

Forgot Kerberos Master Key
Dear Team, I forgot kerberos master key but i have key stash file. How can I get the clear text password from the stash file. Regards, Bharathikannan R ...

Kerberos Master Password for database
How can you verify that you have the correct password for a database that is already created? On 2006-11-18 00:45:15 +0100, "melanotus@gmail.com" <melanotus@gmail.com> said: > How can you verify that you have the correct password for a database > that is already created? Without a correct password Kerberos does not work, so if your KDCs are up and running you have the correct db password. If you remove (rename) the stash and recreate it, you may verify that your memory is good. Otherwise you remember an incorrect password. (Provided that I understand how Kerberos works... I may be wrong.) -- Sensei <senseiwa@Apple's mail> Research (n.): a discovery already published by a chinese guy one month before you, copying a russian who did it in the 60s. ...

selecting master key enctype for a new database
I need to create a new realm, and I'm wondering if anyone has a recommendation about which enctype to use for the master key. The kdb5_util program seems to still default to des-cbc-crc when creating a database (I'm running MIT Kerberos 1.4.1), and I'm not sure if there's a good reason for this. I'd like to use one of the new, stronger enctypes like aes256, but I'm not sure what the pros and cons are. I suppose that all of the slave KDCs would have to be upgraded to a version of Kerberos that supports whatever master key enctype I choose, but I don't anticipate a problem there. Are there client issues? Cross-realm trust issues? Something else? I don't plan to run anything but MIT Kerberos for a KDC, but if anyone knows of any gotchas with specific enctypes/vendors, that might be useful information. Thanks. -- Phil Tracy ptracy@northwestern.edu Information Systems Architecture Northwestern University Information Technology ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Changing password for a principal reverts master key used
I have run into a problem with MIT kerberos 1.11.2 where changing the password for a principal causes the master key in use for that principal to revert to an earlier master key. eg 1. kdb5_util list_mkeys KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Jul 31 14:45:32 EST 2013 * KNVO: 1, Enctype: des-cbc-crc, Active on: Wed Jul 31 14:45:32 EST 2013 2. kdb5_util update_princ_encryption -v foobar Re-encrypt all keys not using master key vno 2? (type 'yes' to confirm)? yes Principals whose keys are being re-encrypted to master key vno 2 if necessary: updating: foobar@KRB5.UQ.EDU.AU skipping: foobar@KRB5.UQ.EDU.AU 2 principals processed: 1 updated, 1 already current 3. getprinc foobar MKey: vno 2 4. cpw -pw XXXX foobar Password for "foobar@YYYY" changed. 5. getprinc foobar MKey: vno 1 foobar is the first principal to be changed to MKey: vno 2 in the database. (Apart from K/M which was changed to MKey: vno 2 by the 'kdb5_util add_mkey -s' used to add the new key. MKey: vno 2 was also marked as active by add_mkey though possibly this should not have happened either.) The reversion of MKey occurs regardless of whether principal has a policy. It happens with several principals tested so presumeably over time the whole database would revert to MKey: vno 1. I am wondering if anyone else has observed this problem and whether this is a bug in MIT kerberos 1.11.2 . -- David Shrimp...

howto change master key enctype from des to triple-des
* I created kerberos database (3 years ago) with kerberos master key (K/M) enc type set to dec-cbc-crc32. Now i want to change it to 'triple des'. AND I also want to change enctype for all principals in the database to triple des. What is the process to change enctypes? Is there a neat migration module that will accomplish this? One thing i wish to avoid is to recreate the entire database and reissue principals. thanks -subu email: sva892@yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. --=20 MAT ...

realm creation - scripting
Hello, I'm new to this mailinglist. I'm writting an automated script to setup kerberos with ldap backend. When I come to the point to setup my kerberos realm I'm prompted to enter kdc master key: --- kdb5_ldap_util -D cn=admin,dc=mydomain,dc=org -w mypassword create -r MYDOMAIN.ORG -s Initializing database for realm 'MYDOMAIN.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: --- I don't want to be prompted for a password. How can I pass the kdc master password to kdb5_ldap_util within my script? Thank you in advance! ...

Migrating database between architectures: "Stored master key is corrupted"
Howdy, I'm attempting to move an MIT krb5 database from an older Intel (32-bit x86) machine running FreeBSD -current and krb5-1.3.4 to a SparcStation 10 (32-bit Sparc) running NetBSD -current mit-krb5-1.3.4nb1. I believe that everything is working as far as the infrastructure is concerned (boot scripts, etc), but I'm unable to start the kdc daemon on the sparc: [root@surya /var/krb5kdc]# cat /var/log/krb5kdc.log krb5kdc: Stored master key is corrupted - while fetching master key K/M for realm (blah ...) I've scp'ed the master key across, and md5'ed it to confirm that it arrived undamaged. It looks fine. Is there a chance that the problem is with endianness? Assuming that it is, is there a way to convert the stashed master key? TIA for your time and assistance, - Tillman -- Page 38: Be sure that, in the excitement of creating a totally rad password, you resist the temptation to tell someone just to show off how smart you are. - Harley Hahn, _The Unix Companion_ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos The stash file is byte order dependent. This is painfully stupid, but none the less true. If you know your master passwerd you can run kdb5_util stash again. If not, you can swap around the bytes of the key length in your favorite binary file editor. ________________________________________________ Kerberos mailing list Kerbero...

kadmin and other errors: "Master key does not match database while initializing ..."
My Kadmin daemon will no longer start. It gives me: [root@kdc3 root]# /etc/init.d/kadmin start Starting Kerberos 5 Admin Server: kadmind: Master key does not match database while initializing, aborting I get a similar error when I do "krb5_util dump file.dump". From the Kerberos FAQ it sounds like a problem with my kerberos database but I didn't find any references on how to fix it. Can someone point me in the right direction? This is Fedora Core 1. Let me know what other relevant information might provide useful. Thanks Austin ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "godber" == Austin Godber <godber@mars.asu.edu> writes: godber> My Kadmin daemon will no longer start. It gives me: godber> [root@kdc3 root]# /etc/init.d/kadmin start godber> Starting Kerberos 5 Admin Server: kadmind: Master key does not match godber> database while initializing, aborting godber> I get a similar error when I do "krb5_util dump file.dump". godber> From the Kerberos FAQ it sounds like a problem with my kerberos godber> database but I didn't find any references on how to fix it. Can godber> someone point me in the right direction? godber> This is Fedora Core 1. Let me know what other relevant information godber> might provide useful. This is not really enough information to f...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

Kerberos master-slave setup : Database propagation, and KDC & KADMIN switching
I am trying to setup Kerberos on Redhat with slaves and database propagation (not incremental). I am going through MIT's documentation for KDC installation and configuration. Currently, I have three doubts/issues: 1. Do we need kpropd running on slave KDC, even if we do not have incremental propagation ? I started xinetd service, and tried propagating database (without starting kpropd, as I have not configured incremental propagation), and it gave me an error: kprop: Connection refused while connecting to server However, when I started kpropd in the same setup without any co...

Changing map keys (no reordering of keys)
Hello world, I currently have implemented a sparse array needed by a class as a map<int, boost::shared_ptr<my_type> >. However, one of the derived classes needs to periodically "tighten" the sparse array (i.e. make it non-sparse). For example: a[0] = 1 a[4] = 2 a[42] = 54 => a[0] = 1 a[1] = 2 a[2] = 54 I'm currently somewhat puzzled at how I would rearrange the keys. One possible solution I thought would be: /*where inv is the member containing the map*/ int lim = inv.size(); map<int, boost::shared_ptr<my_type> >::iterator it = inv.begin(); for(...

Appending data to a master database from another database
How can I, without using Replication technology, append a table in my master database from data in another database? I have several field offices with sales data that I want, on demand, to append up to my home office Master database... any ideas? Thanks!!!! Dav On 17 Nov 2006 08:02:28 -0800, "Parasyke" <kress1963nov22@yahoo.com> wrote: Attach tables from the Child database to the Master, and run Append queries. Or forego the table attachments and use the IN clause to specify the Child database. Off the top of my head: insert into MyTable select * from MyTable IN 'c...

how to change the relationship between a primary key and foriegn key?
Hey there, Im not even sure if im using the terminology correctly. Anyway heres my questions. I have a three tables. The main table has two ID fields. A website id, which is the primary key in that table, and a SupplierID. In the second table, websiteID is not the primary key, so when i want to relate the table above with this one, its always 1 to many. I need this to be 1 to 1. what can i do here. In the third table, the primary key is SupplierID, which is related to the first table. again the relationship is 1 to many, and i need it to be one to one. Also, with the remaining tables, wher...

Change the database schema without changing the application?
Hi, I'm writing a C++ application that needs to retrieve a whole row of data from a table, which has 148 columns, to be displayed on the GUI. So I need to declare 148 host variables (HVs) to hold them. If later I need to add more columns to that table, I would have to change both the database schema (to add more columns) and the C++ application (to add more host variables). Is there a way to avoid using HVs in such specific way, so when the db schema is changed, the application does not have to be changed? For example, if I can declare some 'generic' HVs (not tied to each...

How do I change from TAB KEY to ENTER KEY in a BROWSE?
How do I change from TAB KEY to ENTER KEY in a BROWSE? Using ABC Browse Class in Clarion Windows 5.5 Enterprise. It seems that all Browse Boxes respond to the TAB KEY and will not work with the ENTER KEY. Does anyone know how to fix this? Hi again Steve The following Embed-code should do that: Window Event Handling OpenWindow SOURCE ALIAS(EnterKey,TabKey) Regards Odd Johannesen Granli 23 NO- 4550 FARSUND Norway oddjoha2@start.no "Steve Anderson" <globalcd@infowest.com> skrev i melding news:o9thp0hial6v7h8p9psp3hug5jbej3idqr@4ax.co...

change non-logged database to logged database
To change non-logged database to logged database. Anything I need to change in 4gl program ? --20cf30363ebb7d073f04c6d06141 Content-Type: text/plain; charset=ISO-8859-1 Probably yes. There are certain things you must do differently or that you can't do... I should have a list somewhere but for now: - lock table must be inside a transaction - there is no "unlock table". Simply close the transaction - you may get (more) locking errors and the programs should be able to handle that - you should prevent long transactions which may force you to split large operations - ... On Aug 9, 2012 8:35 AM, "roger" <roger%star2000.com.tw@gtempaccount.com> wrote: > To change non-logged database to logged database. > > Anything I need to change in 4gl program ? > _______________________________________________ > Informix-list mailing list > Informix-list@iiug.org > http://www.iiug.org/mailman/listinfo/informix-list > --20cf30363ebb7d073f04c6d06141 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <p>Probably yes. There are certain things you must do differently or that y= ou can&#39;t do... I should have a list somewhere but for now:</p> <p>- lock table must be inside a transaction<br> - there is no &quot;unlock table&quot;. Simply close the transaction<br> - you may get (more) locking errors and the programs should be ...

Database Database Database Database Software Cheap
Database Database Database Database Software Cheap Great Datase Software See Website Below. Ultra Easy to Learn (Typically 30 Seconds) Professional Programmable Database Ver. 2.3 2.1 Million Record Capacity, (New cond). Search Rate: 2000 / Records / Second. DataBase Type: Random Access. Can Create Unlimited Databases. Programmable fields for any Application. Has Six Seperate Field Sets All Programmable. Build Time One Second, (Auto Creates DB). Setup Time: Instantly, Just Enter DB Name. Ultra Cheap Price, Special $20, Paypal Accepted. Application Mailed Instantly (file Attached Email). http://www.vehiclerepair.org/dbPro/dbpro.html ...

Database Database Database Database Software Cheap
Database Database Database Database Software Cheap Great Datase Software See Website Below. Ultra Easy to Learn (Typically 30 Seconds) Professional Programmable Database Ver. 2.3 2.1 Million Record Capacity, (New cond). Search Rate: 2000 / Records / Second. DataBase Type: Random Access. Can Create Unlimited Databases. Programmable fields for any Application. Has Six Seperate Field Sets All Programmable. Build Time One Second, (Auto Creates DB). Setup Time: Instantly, Just Enter DB Name. Ultra Cheap Price, Special $20, Paypal Accepted. Application Mailed Instantly (file Attached Email). http://www.vehiclerepair.org/dbPro/dbpro.html ...

Web resources about - Changing the database master key - comp.protocols.kerberos

The Changing Light at Sandover - Wikipedia, the free encyclopedia
"The Changing Light at Sandover" is a 560-page epic poem by James Merrill (1926–1995). Sometimes described as a postmodern apocalyptic epic, ...

Is Facebook Changing How We Travel?
When one of your Facebook friends posts a photo album of their trip to Maui, they’re not just showing off — they might also be acting as a travel ...

Missed this week's Changing Track?... - 774 ABC Melbourne - Facebook
Missed this week's Changing Track? We've got you covered. Like to submit your own? Email it to 774drive@abc.net.au

Facebook changing PMD program to Facebook Marketing Partners
Facebook’s Preferred Marketing Developer program may be getting a new look. Earlier today, Facebook announced on the Facebook for Business page ...

Changing Lanes (@chginglanes) on Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

Changing the way business decisions are made
We believe that social data has unlimited value, and near limitless application. Today, we’re taking an important step toward unleashing this ...

12 Minutes To Create a Mind-Changing Presentation
... draft great presentations and to become a more effective and convincing presenter. Twelve minutes which can 12 Minutes To Create a Mind-Changing ...

We're Changing Our Name (Back) to Stack Overflow
We are Stack Overflow. You may know us from such popular websites as Stack Overflow Q&A, Stack Overflow Careers, The Stack Exchange Q&A Network, ...

The Tao of Twitter: Changing your life and business 140 characters at a time - Amazon
It's time to take the mystery out of Twitter. Twitter may be the most powerful business and personal networking platform ever created but it ...

App Store - Voices 2 ~ fun voice changing!
Read reviews, get customer ratings, see screenshots, and learn more about Voices 2 ~ fun voice changing! on the App Store. Download Voices 2 ...

Resources last updated: 3/10/2016 10:16:49 PM