[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Should krbtgt be in a keytab, rather than hdb?

To: Heimdal Discussion <heimdal-discuss@sics.se>
Subject: Should krbtgt be in a keytab, rather than hdb?
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 01 Dec 2005 20:59:31 +1100
Cc: samba-technical@lists.samba.org
Sender: owner-heimdal-discuss@sics.se

I'm working on Samba4's KDC, and it occurs to me that when the KDC is
receiving a TGS-REQ, it should be checking the incoming packet against a
keytab, rather than hdb.

It seems that the receipt of the TGS-REQ is much more like an
application server than the issuing of tickets.  

In particular, I was thinking about the issue of key changes.  With a
keytab, both kvno and kvno-1 can be stored, allowing the krbtgt and more
importantly the inter-realm trust keys to be changed.  

I don't fully understand how inter-realm trusts work, but I think this
would also allow different keys in each direction, something that I
think Microsoft does.

Andrew Bartlett 
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

Follow-Ups:
- Re: Should krbtgt be in a keytab, rather than hdb?
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: gss_krb5_import_creds can't work with memory keytab
Next by Date: Re: gss_krb5_import_creds can't work with memory keytab
Prev by thread: Re: gss_krb5_import_creds can't work with memory keytab
Next by thread: Re: Should krbtgt be in a keytab, rather than hdb?
Index(es):
- Date
- Thread