1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • How to rekey kadmin/history

    From Mike@21:1/5 to All on Sat Oct 7 11:21:24 2023
    Folks,

    In a similar vien to my previous communication, I've found myself trying
    to update my principles from 3DES to AES. While this was successful for
    the most part, one of the issues that evades me is the correct way to
    rekey kadmin/history, as it seems the usual process doesn't work.
    Please could someone advise, as I haven't been able to find the Google
    foo.

    Kind regards,
    Mike.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEELLIsu3X0rLdOylbZ4Vi9eUgjvvMFAmUhMSQACgkQ4Vi9eUgj vvMkIw/+I0OT+jtw9sXX4qDM8qMHOqO3XhbWSp1oOslPIfjkiYCsSgY73xJNLFvD 9STV7V6yiSvnD8HdQo4mqw+WlA+pYB318ILpy8/7OzKygSf2O/5hLMzU9yoCDKdD Lv7Yyahlgn2GtcfQYCC9rGGV+u9ZHRELfmTnzZ1tiTEU9fIIY1Q45s2bc/4lHLw6 IdniHUEwdKu2oCveOPL3rOEzV3AeGPX95nIjEUTorWCVbAQT8qzoQQ3UsgMDZz7A 988G6rw3GC1XivWH+zUOf4vmmio79c8lFG6ChQo78hY8bGwrpXRJGDam1Upg8qHQ Q86r8xKZzkWg0HyaVicPNhuUboYch9ED3clfKa5JecQr4KXUqCHPlQgM4aQS2S6m bmRe5wc61zoJvHZXt5i90N5WyWbJAHfYUPMzdCVWC6xTyk2wf1jZbudEItX7I5lJ GAN1+sK1/jLSJ9MO3IUOE/aU0PugkCypvk3sPMnCgrFNje41wyCn9LjF61pQh+3/ AdsNmibOmjmEpFFbZT/hPtFGf/2H4skkhqnaK8ssvPqwh1S8Zt/JU4KkeYfx5USy 49JhiJ1oQOq256wnNJrxY4OzIAxULmVbrBrvi299rJ0X0Nk8qbB3ADRFshvSx2GY YXhEjNyrr9lIM3Wdlk6Nr7+JT/r5Wg6jtLWptuBGX8rSOPNlUvs=
    =K/+F
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ken Hornstein@21:1/5 to Mike on Sat Oct 7 13:03:02 2023
    Copy: kerberos@mit.edu

    In a similar vien to my previous communication, I've found myself trying
    to update my principles from 3DES to AES. While this was successful for
    the most part, one of the issues that evades me is the correct way to
    rekey kadmin/history, as it seems the usual process doesn't work.
    Please could someone advise, as I haven't been able to find the Google
    foo.

    The official documentation has the answer:

    https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-history-key

    Basically you run "cpw -randkey kadmin/history". There's no proper
    rollover support, unfortunately; all stored old keys get invalidated.
    My memory of the code is that the old keys will stick around in the
    database until the principal changes it's password.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mike@21:1/5 to Ken Hornstein on Mon Oct 9 23:30:32 2023
    Copy: kerberos@mit.edu

    On 07/10/2023 18:03, Ken Hornstein wrote:
    In a similar vien to my previous communication, I've found myself trying
    to update my principles from 3DES to AES. While this was successful for
    the most part, one of the issues that evades me is the correct way to
    rekey kadmin/history, as it seems the usual process doesn't work.
    Please could someone advise, as I haven't been able to find the Google
    foo.

    The official documentation has the answer:

    https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-history-key

    Basically you run "cpw -randkey kadmin/history". There's no proper
    rollover support, unfortunately; all stored old keys get invalidated.
    My memory of the code is that the old keys will stick around in the
    database until the principal changes it's password.

    --Ken

    Thanks Ken,

    That did it. Basically I was missing out -randkey and getting:

    "change_password: Cannot change protected principal while changing
    password for "kadmin/history"

    Now I get it!

    Thanks again,
    Mike.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)