Skip Menu |

Subject: KDB should use enctype of stashed master key
Suppose you create a KDB with a non-default master key enctype:

kdb5_util -k rc4-hmac create -s

Now you have a K/M entry with the specified enctype, and a stash keytab
containing a nicely tagged key of the specified enctype. However, if
you try to access the KDB, you will get:

kadmin.local: No matching key in entry while initializing kadmin.local

So the code is specifically looking for a key of the expected master key
enctype (either the one specified in the profile's master_key_type or
the default) instead of using what it can find in the stash file.

This is a big problem if we ever want to change the master key type
between releases (which we do, since the default is currently triple
DES). Databases created with the old master key type will stop working
unless the admin adds a master_key_type setting to kdc.conf, which is
not a friendly experience.
While the title of this ticket suggests using the enctype of the stashed
master key, another approach would be trying the enctypes of the keys in
K/M db entries. The latter approach is perhaps more interesting because
it would also work for typed passwords.
We are changing the default master key enctype to AES256 in krb5-1.8, so this also needs
fixing by krb5-1.8.
The problem is actually more constrained than I actually thought. If
you have a stashed master key, master key retrieval works just fine
regardless of the default master key enctype. However, there are two
big caveats:

1. When you start up kadmind or kadmin.local, the kadmin/history key is
retrieved using krb5_dbe_find_enctype with the default master key
enctype specified; this fails if the database was created with a
different master key enctype. This is easy to fix and will be fixed

2. If you type out the key using krb5kdc -m, you get:

krb5kdc: Unable to decrypt latest master key with the provided master key
- while fetching master keys list for realm TEST.ORG

if the master key enctype is not the default (and is not specified via
the -k option). We can be friendlier than that, by looking up the key
type in the K/M entry. This is a little less trivial to fix.
Subject: SVN Commit

When retrieving the kadmin/history key, accept any enctype, as the
current master key enctype may not match the one the KDB was created
Commit By: ghudson
Revision: 23607
Changed Files:
U trunk/src/lib/kadm5/srv/server_kdb.c
It turns out that the default enctype for a typed-in password in the KDC
is still des-cbc-crc. So the remainder of this ticket is probably not a
pressing 1.8 issue; we've had problems in that department since the
default enctype changed to triple DES.
Subject: SVN Commit

pull up r23607 from trunk

r23607 | ghudson | 2010-01-07 15:57:02 -0500 (Thu, 07 Jan 2010) | 7 lines

ticket: 6546
status: open

When retrieving the kadmin/history key, accept any enctype, as the
current master key enctype may not match the one the KDB was created
Commit By: tlyu
Revision: 23658
Changed Files:
U branches/krb5-1-8/src/lib/kadm5/srv/server_kdb.c
The change here is superceded by the change in #6640.

Closing this ticket; I'll open a new one about typed-in master keys.