Skip Menu |
 

Subject: randkey does not update principal's master key version
kadm5_randkey_principal_3 does not call krb5_dbe_update_mkvno after
krb5_dbe_crk, so while it uses the currently active mkvno, it does not
update the principal's metadata to reflect this.

Steps to reproduce:

1. make testrealm
2. kdb5_util add_mkey -s (enter a new master password twice)
3. kdb5_util use_mkey 2
4. kadmin.local -q 'cpw -randkey user' (or alternatively, ktadd)
5. kadmin.local -q 'getprinc user' (erroneously reports "MKey: vno 1")

The keys still decrypt properly in the KDC because we iterate over all
of the master keys trying to decrypt instead of obeying the principal's
mkvno metadata. But at least one operation fails:

6. kdb5_util update_princ_encryption (reports "Decrypt integrity check
failed" on the uesr principal)
From: ghudson@mit.edu
Subject: git commit

Make randkey update principal mkvno

In kadm5_randkey_principal_3, after updating the principal's keys,
update its mkvno tl-data to indicate the master key version we
encrypted the new keys with.

https://github.com/krb5/krb5/commit/05a3b205c5d7ee491a64e24581cb4def3814c05b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 05a3b205c5d7ee491a64e24581cb4def3814c05b
Branch: master
src/lib/kadm5/srv/svr_principal.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add test case for randkey mkvno update

https://github.com/krb5/krb5/commit/b96f562888e3e7733e449a922920158e84e0a933
Author: Greg Hudson <ghudson@mit.edu>
Commit: b96f562888e3e7733e449a922920158e84e0a933
Branch: master
src/tests/t_mkey.py | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Make randkey update principal mkvno

In kadm5_randkey_principal_3, after updating the principal's keys,
update its mkvno tl-data to indicate the master key version we
encrypted the new keys with.

(cherry picked from commit 05a3b205c5d7ee491a64e24581cb4def3814c05b)

https://github.com/krb5/krb5/commit/af27b167ebde8de25ceabfe0c8be8e054854430a
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: af27b167ebde8de25ceabfe0c8be8e054854430a
Branch: krb5-1.13
src/lib/kadm5/srv/svr_principal.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Add test case for randkey mkvno update

(cherry picked from commit b96f562888e3e7733e449a922920158e84e0a933)

https://github.com/krb5/krb5/commit/0a6fe13208b13b33ada02f18958e0bb6f722409b
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 0a6fe13208b13b33ada02f18958e0bb6f722409b
Branch: krb5-1.13
src/tests/t_mkey.py | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)