[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal/AFS Master Key Coordination
"Henry B. Hotz" <email@example.com> writes:
> Ummm. . . How do you do that so the KDC works? It only reads one
> master key when it starts up, I thought.
The mkeyfile is just a keytab, and can contain several key versions.
> I've got it working with no master key at all, but I'm not sure I want
> to stay that way. I suppose the way to change master keys wholesale
> is to either dump --decrypt/load, or to run it through hprop
> --decrypt/hpropd --encrypt?
hprop --encrypt --stdout | hpropd --stdin should do it. But be sure to
save a copy of the database, in case anything screws up.
> I presume when running hprop/hpropd between machines it uses
> Kerberos encryption over the wire. That's independent of the key
> encryption, right?
> There is no --encrypt option on hpropd, is there?
> I know I'm nit-picking all the details here, but I have to say that
> I'm really pleased with the flexibility of the system. Being able
> to run with a kaserver master for a while makes the conversion to K5
> a *lot* easier to implement here.