RT RT/krbdev.mit.edu: Ticket #7743 kadmin cannot add principal and extract random key in one step Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7743
Status
open
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
Target_Version
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7704: (Nobody) Anonymous kadmin does not work [resolved]
 
 Dates  
Created: Tue Oct 29 09:16:20 2013
Starts: Not set
Started: Not set
Last Contact: Not set
Due: Not set
Updated: Tue Oct 29 09:16:20 2013 by ghudson
 

 People  
Owner
 Nobody
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue Oct 29 09:16:20 2013  ghudson - Ticket created    
     
Subject: kadmin cannot add principal and extract random key in one step

If a kadmin client has only "add" privileges, it cannot add a principal
with a random key and get the key in a single step.  If the client gives
addprinc the -randkey option, then nobody except the KDC will know the
key, and the won't be able to act on the created principal.

The workaround is to create the principal with a password and then use
self-service to change the key to a random key.  But this is awkward at
best: the client must make up a temporary but secure password, the
kadmin server must perform unnecessary string-to-key operations, the
password could fail password quality rules, etc..

A possible design to allow addition and key extraction as a single step
would be:

* Create a new create_principal4 RPC which accepts the same argument as
create_principal3 but returns the keys, either using a chrand_ret or a
substantially identical structure.  create_principal3 can be implemented
in terms of create_principal4 in the server library, just as
create_principal is implemented in terms of create_principal3.

* Add a -keytab argument to the addprinc command.  If it is used, kadmin
uses create_principal4 (and therefore only works with a new kadmin
server); otherwise it uses create_principal3 or create_principal as
appropriate.


Download (untitled) 1.2k