[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Incomplete documentation

On Thu, 18 Sep 2003, [iso-8859-2] Martin MOKREJ? wrote:

> On Thu, 18 Sep 2003, Love wrote:
> > Martin MOKREJ? <mmokrejs@natur.cuni.cz> writes:
> > > Another question, how is the database on slaves encrypted? Does it use
> > > the master key from master KDC? I guess not. So where is the master key
> > > used on slaves?Is that the hprop/host key?
> >
> > Its encrypted with the master key in /var/heimdal/m-key, the
> > hprop/`hostname` keys are just for authentication and transport encryption
> > when dumping the database.
> That was my impression, but I did not generate any /var/heimdal/m-key on
> machines acting as slaves ... I did not have to do this step to start
> hpropd ... so is the database unencrypted? The web documentation(URL below)
> doesn't say anything about generating another master key (this time on slaves).

The database is also encrypted on the slaves, just as Love already told
you. If you don't put /var/heimdal/m-key onto the slave as well, the kdc
on the slave will no be able to read the database - this means you cannot
authenticate against a slave server.

BTW: What's the reason why the database files on the slaves are around
20-30% bigger than the original one on the master?


Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen