1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • master key type in kdc.conf

    From Dan Mahoney (Gushi)@21:1/5 to All on Sun Oct 3 00:36:23 2021
    Hey all,

    We're in the process of rolling our mkey to get off 3des, and we found
    that someone in the before-times has put this line in our kdc.conf:

    master_key_type = des3-hmac-sha1

    Obviously, that's not going to be the master key type of the new key, and
    of course, I think when this command came out, there was no "use mkey"
    format, so this was perhaps a primitive rollover method?

    Would things break if I just took this line out? Or would the kdc fail to start because a K/M of the default enctype isn't present yet?

    Does it make sense to remove this line before rollover or after?
    (This might be worth a mention in the docs).

    -Dan

    --

    --------Dan Mahoney--------
    Techie, Sysadmin, WebGeek
    Gushi on efnet/undernet IRC
    FB: fb.com/DanielMahoneyIV
    LI: linkedin.com/in/gushi
    Site: http://www.gushi.org
    ---------------------------

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Dan Mahoney (Gushi) on Sun Oct 3 13:15:46 2021
    To: kerberos@mit.edu

    On 10/3/21 3:36 AM, Dan Mahoney (Gushi) wrote:
    We're in the process of rolling our mkey to get off 3des, and we found
    that someone in the before-times has put this line in our kdc.conf:

    master_key_type = des3-hmac-sha1
    [...]
    Would things break if I just took this line out? Or would the kdc fail to start because a K/M of the default enctype isn't present yet?

    From a review of the code, I am pretty sure that this setting is only
    used when the mkey is entered from the keyboard (including during KDB creation). Assuming you are using a stash file, you should be able to
    remove this setting.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)