Skip Menu |
 

Subject: kdb5_util add_mkey should ensure master key activation times list exists
Download (untitled) / with headers
text/plain 1.1KiB
The master key activation times list is a tl-data value on the K/M entry
containing {kvno, time} tuples, and determines which master key is
considered "active" for the purpose of encrypting new keys.

This list is currently written by the kdb5_util create, use_mkey, and
purge_mkeys commands. If a KDB was created before 1.7, the list will
not exist in the K/M entry unless someone has run use_mkey.

In the absence of this list, we have some not-very-optimal fallbacks:

* kadmin/kadmin.local will synthesize a list which assumes that the most
recent mkvno is active.

* kdb5_util list_mkeys will display the current time as the "active on"
time for all master keys, and will assume that the most recent mkvno is
active.

As a result, if you run "kdb5_util add_mkey" on an old KDB, the new
master key becomes active immediately (although kadmind will not
recognize this until it restarts; see #7685), before you have had a
chance to propagate the new master key to slave KDCs.

kdb5_util add_mkey should ensure that the master key activation times
list exists, so that we get consistent behavior with old and new KDBs.
From: ghudson@mit.edu
Subject: git commit

Correctly activate master keys in pre-1.7 KDBs

Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.

Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.

https://github.com/krb5/krb5/commit/ec560fac83912abaa15fb158101c8174497081c5
Author: Greg Hudson <ghudson@mit.edu>
Commit: ec560fac83912abaa15fb158101c8174497081c5
Branch: master
src/lib/kdb/kdb5.c | 41 +++++++++++++++++++----------------------
1 files changed, 19 insertions(+), 22 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Correctly activate master keys in pre-1.7 KDBs

Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.

Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.

(cherry picked from commit ec560fac83912abaa15fb158101c8174497081c5)

https://github.com/krb5/krb5/commit/2c9170e862d95f542a59e6cf2379c7d2174fdeac
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 2c9170e862d95f542a59e6cf2379c7d2174fdeac
Branch: krb5-1.12
src/lib/kdb/kdb5.c | 41 +++++++++++++++++++----------------------
1 files changed, 19 insertions(+), 22 deletions(-)
Contrary to the initial description of this ticket, I did not change
add_mkey to instantiate the master key activation list. Instead, I
changed the fallback list to emulate what would be in the list if the DB
had been created after 1.7, and made the fallback list apply to all cases
instead of just in kadmind.