[19988] in Kerberos_V5_Development
Re: Using a master key and principal name to derive password for
daemon@ATHENA.MIT.EDU (Ts7 Coe)
Wed Oct 16 09:59:50 2019
From: Ts7 Coe <tm3y@hotmail.com>
To: "Roland C. Dowdeswell" <elric@imrryr.org>
Date: Wed, 16 Oct 2019 13:59:13 +0000
Message-ID: <HK2PR06MB3539B5B9F9EEB11D84F093D89C920@HK2PR06MB3539.apcprd06.prod.outlook.com>
In-Reply-To: <20191016111545.GB23133@xiombarg.imrryr.org>
Content-Language: aa
MIME-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I thought when using PKINIT, KDC will send the symmetric key to principal,
maybe encrypted with the public key. Looks like this isn't true in kerberos.
So I must deliver the symmetric key using outbound connection.
If so, in my scenario, principal act both client and server, PKINIT seems
unnecessary, and keytab file seems more suitable. But the approach I
described should still work.
There is one major problem to use principal name derived password:
If one principal get compromised, changing the master key could lead to
all principals' key changed. But this could be resolved by inserting the
compromised principal into the database with a new key.
Thank @Roland and @Alexander for the kind help on this issue.
Also, I have another simple and quick question. In freeipa or active directory,
Is that all service principals don't change their symmetric key in the entire
life time if no compromise occurred?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
