[27205] in Kerberos
Re: "If you choose to install a stash file..."
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Wed Jan 10 19:47:06 2007
Date: Wed, 10 Jan 2007 19:46:08 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
Message-ID: <4D29871E1FD3E01B5A0B8772@sirius.fac.cs.cmu.edu>
In-Reply-To: <200701101916.l0AJGqcQ000907@ginger.cmf.nrl.navy.mil>
MIME-Version: 1.0
Content-Disposition: inline
Cc: Jeffrey Hutzelman <jhutz@cmu.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wednesday, January 10, 2007 02:16:53 PM -0500 Ken Hornstein
<kenh@cmf.nrl.navy.mil> wrote:
>> In addition to needing to enter a passphrase to launch krb5kdc (with
>> the -m option), it looks like kdb5_util will also need a passphrase,
>> understandably.
>>
>> This means that the traditional cronjob-triggered kprop -> kpropd
>> replication won't work either, right?
>
> Actually, it shouldn't need a passphrase; the dump files contain the
> encrypted keys not the decrypted ones, and that's what kprop/kpropd
> pass around. I thought that the MIT folks told me that they run without
> a stash file, and I see they have three KDCs.
I can't speak for current code, but several years ago we ran MIT KDC's with
only the master having a stash file, and propagation worked just fine.
-- Jeff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
