[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal/AFS Master Key Coordination
At 9:48 AM +0200 9/24/03, Johan Danielsson wrote:
>"Henry B. Hotz" <email@example.com> writes:
> > There was a recent post to the effect that hpropd couldn't tell if
>> it was getting encrypted data or not.
>An application that requires access to key material, will decrypt if
>necessary. In fact, you can have keys encrypted with different master
>keys, and unencrypted keys in the same database (not that I recommend
Ummm. . . How do you do that so the KDC works? It only reads one
master key when it starts up, I thought.
I've got it working with no master key at all, but I'm not sure I
want to stay that way. I suppose the way to change master keys
wholesale is to either dump --decrypt/load, or to run it through
hprop --decrypt/hpropd --encrypt?
I presume when running hprop/hpropd between machines it uses Kerberos
encryption over the wire. That's independent of the key encryption,
> > So the kaserver DB is unencrypted; the Heimdal DB is encrypted.
>> When/how is the encryption with the Heimdal master key done?
>By hprop, if used with --encrypt.
There is no --encrypt option on hpropd, is there? It's not in the
documentation and when I did a "hpropd --encrypt" it just spat the
usage message back at me (Heimdal 0.6).
I know I'm nit-picking all the details here, but I have to say that
I'm really pleased with the flexibility of the system. Being able to
run with a kaserver master for a while makes the conversion to K5 a
*lot* easier to implement here.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org