[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hdb_set_master_key: Program lacks support for key type



George Ross <gdmr@dcs.ed.ac.uk> writes:

> 	hdb_set_master_key: Program lacks support for key type

There has been some substantial changes in the crypto framework
between 0.0 and 0.1.

First all keytypes are now enctypes (this is the way it's supposed to
be). The old ktype_is_etype krb5.conf options tried be somewhat
compatible with this in packets sent, but there were cases that were
hard to solve.

Secondly, DES3 encryption has been changed to use the key-usage
drafts, which might or might not be part of Son-of-RFC1510.

The first change affects a lot of things, but is normally quite easy
to fix. The second change breaks everything using DES3 (since the
string-to-key has changed too, DES3 password has to be changed also).

In this case, what you have to do is change the database to use
enctypes instead of keytypes, and the best way to do this is to dump
the database (with an old kadmin), fiddle with the output, and the
reload it. What you have to do is change the DES key entries to
DES-CBC-CRC, DES-CBC-MD4, and DES-CBC-MD5.

An old dump looks something like this:

whatever@realm 1:0:1:0123456789abcdef:- ...

You have to change the key field to read
1:0:1:012...:-:0:2:012...:-:0:3:012..., the following sed expression
might do the trick:

sed -e 's/:0:1:\([0-9a-f]*:[-0-9a-f]*\)/:0:1:\1:0:2:\1:0:3:\1/'

The you also have to change the master key to have a key of type
DES-CBC-MD5 -- you have to change byte 7 from 1 to 3 in
/var/heimdal/m-key (or wherever you have your master key).

This said, I would probably stay away from 0.1a for other things than
experimenting. There are some (apart from these upgrade problems)
some known bugs that should be fixed.

I'll try to solve some of these problems and perhaps make a 0.1b.

Sorry for the inconvenience.

/Johan