[OpenAFS] Kerberos 5 Master key.
Ken Hornstein
kenh@cmf.nrl.navy.mil
Mon, 30 Sep 2002 14:23:41 -0400
>> You're thinking of the TGS key, not what is typically called the "master
>> key", aren't you? (I don't think that termology is very clear regarding
>> what people think is the "master key").
>
>If that is the key generated when I type a password at the prompt
>"Enter KDC database master key:"
That key is what _I_ call the "master key". It's used to encrypt the key
data in the Kerberos DB, but it's not actually used for anything on the
wire. You _can_ change that in newer MIT releases (but I think you want
1.2.6 for it); there are some flags like -new-mkey (the exact flags escape
me right now) to kdb5_util.
>Then it is the TGS key.
That's the key for the principal krbtgt/REALM@REALM; normally you don't
change that one.
--Ken