Ticket History #6546: KDB should use enctype of stashed master key

# Mon Aug 17 11:19:19 2009 ghudson@mit.edu (Greg Hudson) - Ticket created

Subject:

KDB should use enctype of stashed master key

Download (untitled) / with headers
text/plain 884B

Suppose you create a KDB with a non-default master key enctype:

kdb5_util -k rc4-hmac create -s

Now you have a K/M entry with the specified enctype, and a stash keytab
containing a nicely tagged key of the specified enctype. However, if
you try to access the KDB, you will get:

kadmin.local: No matching key in entry while initializing kadmin.local
interface

So the code is specifically looking for a key of the expected master key
enctype (either the one specified in the profile's master_key_type or
the default) instead of using what it can find in the stash file.

This is a big problem if we ever want to change the master key type
between releases (which we do, since the default is currently triple
DES). Databases created with the old master key type will stop working
unless the admin adds a master_key_type setting to kdc.conf, which is
not a friendly experience.

# Mon Aug 17 12:41:00 2009 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 258B

While the title of this ticket suggests using the enctype of the stashed
master key, another approach would be trying the enctypes of the keys in
K/M db entries. The latter approach is perhaps more interesting because
it would also work for typed passwords.

# Mon Jan 04 22:32:28 2010 tlyu (Taylor Yu) - Target_Version 1.8 added

# Mon Jan 04 22:34:40 2010 tlyu (Taylor Yu) - Comments added

Download (untitled) / with headers
text/plain 109B

We are changing the default master key enctype to AES256 in krb5-1.8, so this also needs
fixing by krb5-1.8.

# Thu Jan 07 15:55:30 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 891B

The problem is actually more constrained than I actually thought. If
you have a stashed master key, master key retrieval works just fine
regardless of the default master key enctype. However, there are two
big caveats:

1. When you start up kadmind or kadmin.local, the kadmin/history key is
retrieved using krb5_dbe_find_enctype with the default master key
enctype specified; this fails if the database was created with a
different master key enctype. This is easy to fix and will be fixed
shortly.

2. If you type out the key using krb5kdc -m, you get:

krb5kdc: Unable to decrypt latest master key with the provided master key
- while fetching master keys list for realm TEST.ORG

if the master key enctype is not the default (and is not specified via
the -k option). We can be friendlier than that, by looking up the key
type in the K/M entry. This is a little less trivial to fix.

# Thu Jan 07 15:57:03 2010 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Thu Jan 07 15:57:03 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 313B

When retrieving the kadmin/history key, accept any enctype, as the
current master key enctype may not match the one the KDB was created
with.

https://github.com/krb5/krb5/commit/9f4eacfe818bff7e0d8c2c14f713aa28f06420e4
Commit By: ghudson
Revision: 23607
Changed Files:
U trunk/src/lib/kadm5/srv/server_kdb.c

# Mon Jan 11 00:45:19 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 252B

It turns out that the default enctype for a typed-in password in the KDC
is still des-cbc-crc. So the remainder of this ticket is probably not a
pressing 1.8 issue; we've had problems in that department since the
default enctype changed to triple DES.

# Thu Jan 14 13:51:10 2010 tlyu (Taylor Yu) - Status changed from 'open' to 'resolved'

# Thu Jan 14 13:51:10 2010 tlyu (Taylor Yu) - Version_Fixed 1.8 added

# Thu Jan 14 13:51:10 2010 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 530B

pull up r23607 from trunk

------------------------------------------------------------------------
r23607 | ghudson | 2010-01-07 15:57:02 -0500 (Thu, 07 Jan 2010) | 7 lines

ticket: 6546
status: open

When retrieving the kadmin/history key, accept any enctype, as the
current master key enctype may not match the one the KDB was created
with.

https://github.com/krb5/krb5/commit/373db284e905a4ce52b396c939ac13db61ac5c7f
Commit By: tlyu
Revision: 23658
Changed Files:
U branches/krb5-1-8/src/lib/kadm5/srv/server_kdb.c

# Thu Jan 14 13:53:08 2010 ghudson@mit.edu (Greg Hudson) - Status changed from 'resolved' to 'review'

# Thu Jan 14 13:53:08 2010 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 123B

The change here is superceded by the change in #6640.

Closing this ticket; I'll open a new one about typed-in master keys.

# Sun Sep 24 20:39:55 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'resolved'