Re: Heimdal/AFS Master Key Coordination

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

At 9:48 AM +0200 9/24/03, Johan Danielsson wrote:
>"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>  > There was a recent post to the effect that hpropd couldn't tell if
>>  it was getting encrypted data or not.
>
>An application that requires access to key material, will decrypt if
>necessary. In fact, you can have keys encrypted with different master
>keys, and unencrypted keys in the same database (not that I recommend
>that).

Ummm. . .  How do you do that so the KDC works?  It only reads one 
master key when it starts up, I thought.

I've got it working with no master key at all, but I'm not sure I 
want to stay that way.  I suppose the way to change master keys 
wholesale is to either dump --decrypt/load, or to run it through 
hprop --decrypt/hpropd --encrypt?

I presume when running hprop/hpropd between machines it uses Kerberos 
encryption over the wire.  That's independent of the key encryption, 
right?

>  > So the kaserver DB is unencrypted; the Heimdal DB is encrypted.
>>  When/how is the encryption with the Heimdal master key done?
>
>By hprop, if used with --encrypt.

There is no --encrypt option on hpropd, is there?  It's not in the 
documentation and when I did a "hpropd --encrypt" it just spat the 
usage message back at me (Heimdal 0.6).

I know I'm nit-picking all the details here, but I have to say that 
I'm really pleased with the flexibility of the system.  Being able to 
run with a kaserver master for a while makes the conversion to K5 a 
*lot* easier to implement here.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu