Copy: harshawardhan.rk@gmail.com (Harshawardhan Kulkarni)
Copy: kerberos@mit.edu (kerberos@mit.edu)

I don't think it would make it harder.

I just mean because you won't be able to set a breakpoint at a function
that uses the key, you'll have to actually chase it around in memory
(assuming you use something like gcore to dump it as fast as possible
without regard to where it is executing when it's dumped).

If I was doing this live, I'd set a breakpoint on some function that
used the key to decrypt and then inspect there, but with a core file
you'll need to make sure you can find all the structures first.

Is realm_mkey in the kdc_realm_data struct the one he wants?

Chris

------ Original Message ------
From: "Nico Williams" <nico@cryptonector.com>
To: "Chris Hecker" <checker@d6.com>
Cc: "Harshawardhan Kulkarni" <harshawardhan.rk@gmail.com>;
"kerberos@mit.edu" <kerberos@mit.edu>
Sent: 2020-06-11 15:31:28
Subject: Re: MIT Kerberos Master principal deletion

On Thu, Jun 11, 2020 at 10:19:39PM +0000, Chris Hecker wrote:

Maybe dump the core of the running process so you don't accidentally crash >> it while trying to debug it live? But that would make finding it in memory >> even harder...

I don't think it would make it harder.

BTW, we should make it much harder to delete important principals...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: harshawardhan.rk@gmail.com (Harshawardhan Kulkarni)
Copy: kerberos@mit.edu (kerberos@mit.edu)

Maybe dump the core of the running process so you don't accidentally
crash it while trying to debug it live? But that would make finding it
in memory even harder...

Chris


------ Original Message ------
From: "Nico Williams" <nico@cryptonector.com>
To: "Harshawardhan Kulkarni" <harshawardhan.rk@gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Sent: 2020-06-11 15:05:19
Subject: Re: MIT Kerberos Master principal deletion

On Thu, Jun 11, 2020 at 03:32:35AM +0100, Harshawardhan Kulkarni wrote:

I basically need an advice on an ongoing issue I am currently stuck on.

We have a Kerberised Hadoop Cloudera Custer. KDC Admin server is on one of >> the nodes. We don't have a failover node for KDC server yet. On the KDC
admin server while doing a clean up activity for unwanted kdc principals, I >> deleted the master key principal (K/M@REALM.COM) We never took a kdc dump >> of the master key. So we don't have a backup to restore from.

Is there any way I can restore the master key principal?

If you have a running KDC you could use a debugger to recover that key.
It won't be easy. It's not something anyone does on a regular basis, so
I don't have instructions to give you.

I have tried creating with kdb5_util add_mkey but the error says that KDC >> DB is not able to find a master key credential. I assume this would only
work when you want to create another master key without deleting the
primary key.

Adding a new key won't help you: the existing records are encrypted in
the old key.

Another option for me would be to de-kerberise the cluster and create the >> same REALM and kerberise the cluster again. But there could be serious
issues if this doesn't fix as this is a live cluster where people are using >> this on a daily basis.

You could rebuild your realm, yes. That's a flag day. Users in that
realm will need to be re-enrolled, keytabs will need to be re-created
and distributed...

Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu >https://mailman.mit.edu/mailman/listinfo/kerberos

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: checker@d6.com (Chris Hecker)
Copy: harshawardhan.rk@gmail.com (Harshawardhan Kulkarni)
Copy: kerberos@mit.edu (kerberos@mit.edu)

Would the stash file help here (if it exists)?


--

Jeff

________________________________
From: kerberos-bounces@mit.edu <kerberos-bounces@mit.edu> on behalf of Chris Hecker <checker@d6.com>
Sent: Thursday, June 11, 2020 6:54 PM
To: Nico Williams <nico@cryptonector.com>
Cc: Harshawardhan Kulkarni <harshawardhan.rk@gmail.com>; kerberos@mit.edu <kerberos@mit.edu>
Subject: Re[2]: MIT Kerberos Master principal deletion

I don't think it would make it harder.

I just mean because you won't be able to set a breakpoint at a function
that uses the key, you'll have to actually chase it around in memory
(assuming you use something like gcore to dump it as fast as possible
without regard to where it is executing when it's dumped).

If I was doing this live, I'd set a breakpoint on some function that
used the key to decrypt and then inspect there, but with a core file
you'll need to make sure you can find all the structures first.

Is realm_mkey in the kdc_realm_data struct the one he wants?

Chris

------ Original Message ------
From: "Nico Williams" <nico@cryptonector.com>
To: "Chris Hecker" <checker@d6.com>
Cc: "Harshawardhan Kulkarni" <harshawardhan.rk@gmail.com>;
"kerberos@mit.edu" <kerberos@mit.edu>
Sent: 2020-06-11 15:31:28
Subject: Re: MIT Kerberos Master principal deletion

On Thu, Jun 11, 2020 at 10:19:39PM +0000, Chris Hecker wrote:

Maybe dump the core of the running process so you don't accidentally crash >> it while trying to debug it live? But that would make finding it in memory >> even harder...

I don't think it would make it harder.

BTW, we should make it much harder to delete important principals...

________________________________________________
Kerberos mailing list Kerberos@mit.edu https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&amp;data=02%7C01%7Cjcd%40psu.edu%7C5ecb0ae46a0f4206310108d80e5b131f%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637275131630535798&amp;
sdata=slErWkRJAvfE0nd%2BMESCEFY5Ucx8c79mIpMN%2BwFBMz8%3D&amp;reserved=0

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)