[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal/AFS Master Key Coordination

At 2:21 PM +0200 9/23/03, Johan Danielsson wrote:
>"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>>  Kerberos encrypts its database with a master key kept in the stash
>>  file.  AFS kaserver does something similar, but I'm not sure exactly
>>  what.
>The kaserver database not encrypted.

OK, that fits.

>  > What I tried doing was using ktutil to convert the
>>  /usr/afs/etc/KeyFile to a K5 keytab and feeding that to hprop
>>  --keyfile=... --decrypt --stdout.
>The --keyfile is only used for authenticating to a remote hpropd. Did
>you try --source=kaserver?

Yes, the exact command was: /usr/heimdal/libexec/hprop 
--keytab=/hhroot/m-keytab --source=kaserver --cell=jpl04.nasa.gov 
--kaspecials --decrypt --stdout | . . .

Sounds like I was trying too hard.  I guess it should just be 
(default DB location works):

hprop --source=kaserver --cell=jpl04.nasa.gov --kaspecials --stdout

>hprop --stdout --source=kaserver --database=/whereever/kaserver.DB0

Now about the hpropd:  Does it encrypt the database using the master 
key in the stash file?  There was a recent post to the effect that 
hpropd couldn't tell if it was getting encrypted data or not.  So the 
kaserver DB is unencrypted;  the Heimdal DB is encrypted.  When/how 
is the encryption with the Heimdal master key done?

The jpl04 test cell is down right now, otherwise I'd do more testing 
and ask fewer questions.  Thanks for the help.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu