Skip Menu |
 

Subject: new multi-masterkey support doesn't work well when system clock is set back
If the system clock on a KDC is set back in time after a mkey is
activated "now" or if the admin sets the active time for all existing
mkeys in the future it is possible that the code will not find any mkey
active. This is a problem as there should always be one "active" mkey
used to protect principal keys. I'd like to address this by making
several changes including:

- Modify krb5_dbe_find_act_mkey() to return the mkey with the lowest
KVNO if there are no actkvno entries with a time equal or earlier than
the current time.

- Modify krb5_dbe_fetch_act_key_list() to return a default actkvno entry
with time == 0 if there is not actkvno TL data in the mkey princ
entry. Currently its setting time to the current time but again if
the clock is set back this could cause problems.

- Remove the code in use_mkey that auto-trims the actkvno list. I
don't think this is really necessary since the actkvno list will be
edited when the purge_mkeys command is run.
Date: Mon, 2 Feb 2009 22:06:31 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6359] new multi-masterkey support doesn't work well when system clock is set back
RT-Send-Cc:
On Tue, Feb 03, 2009 at 01:43:39AM +0000, william.fiveash@sun.com via RT wrote:
Show quoted text
> If the system clock on a KDC is set back in time after a mkey is
> activated "now" or if the admin sets the active time for all existing
> mkeys in the future it is possible that the code will not find any mkey
> active. This is a problem as there should always be one "active" mkey
> used to protect principal keys. I'd like to address this by making
> several changes including:

Can't the active key be marked in the principal's record via TL data?
Date: Tue, 3 Feb 2009 10:51:49 -0600
From: Will Fiveash <William.Fiveash@Sun.COM>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6359] new multi-masterkey support doesn't work well when system clock is set back
RT-Send-Cc:
On Tue, Feb 03, 2009 at 04:15:19AM +0000, Nicolas Williams via RT wrote:
Show quoted text
> On Tue, Feb 03, 2009 at 01:43:39AM +0000, william.fiveash@sun.com via RT wrote:
> > If the system clock on a KDC is set back in time after a mkey is
> > activated "now" or if the admin sets the active time for all existing
> > mkeys in the future it is possible that the code will not find any mkey
> > active. This is a problem as there should always be one "active" mkey
> > used to protect principal keys. I'd like to address this by making
> > several changes including:
>
> Can't the active key be marked in the principal's record via TL data?

See: http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration

--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/