Re: Heimdal/AFS Master Key Coordination

[joda@pdc.kth.se (Johan Danielsson)]

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> Ummm. . .  How do you do that so the KDC works?  It only reads one
> master key when it starts up, I thought.

The mkeyfile is just a keytab, and can contain several key versions.

> I've got it working with no master key at all, but I'm not sure I want
> to stay that way.  I suppose the way to change master keys wholesale
> is to either dump --decrypt/load, or to run it through hprop
> --decrypt/hpropd --encrypt?

hprop --encrypt --stdout | hpropd --stdin should do it. But be sure to
save a copy of the database, in case anything screws up.

> I presume when running hprop/hpropd between machines it uses
> Kerberos encryption over the wire.  That's independent of the key
> encryption, right?

Yes.

> There is no --encrypt option on hpropd, is there?  

Right.

> I know I'm nit-picking all the details here, but I have to say that
> I'm really pleased with the flexibility of the system.  Being able
> to run with a kaserver master for a while makes the conversion to K5
> a *lot* easier to implement here.

Yup.

/Johan