Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.8. What do I need to do to make V4 clients work with my V5 KDC? Next Document: 2.10. How do I run kadmin from a shell script unattended? See reader questions & answers on this topic! - Help others by sharing your knowledge The protocol that kadmin uses has no way of extracting a key from the database. That was a deliberate design decision; it prevents a compromised admin account from being able to read out all of the keys from the database. However, there is a way to create a new random key and return this key to the client program. This is used by the ktadd command of kadmin to get a new key to add to a keytab. A new random key is created for the principal, and as a result, the kvno gets incremented (just like when a user changes their password). The returned random key then gets added to the keytab. This has a couple of noteworthy side effects. You can't use ktadd to add the same key to more than one host, because the key will be changed on the second host you add it to. Also, since you'll be creating a new key, tickets created with the old key will no longer be valid. You can work around this by saving the old key in the keytab, but if you're regenerating a key because the previous one didn't match the one in the KDC, you will need to have your users acquire new service tickets (by running kinit or the equivalent) before they will get tickets encrypted with the new key. User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.8. What do I need to do to make V4 clients work with my V5 KDC? Next Document: 2.10. How do I run kadmin from a shell script unattended? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: