[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?
John Rudd
jrudd@ucsc.edu
Tue, 14 Feb 2006 00:22:10 -0800
On Feb 13, 2006, at 11:42 PM, Russ Allbery wrote:
> Adam Megacz <megacz@cs.berkeley.edu> writes:
>> Russ Allbery <rra@stanford.edu> writes:
>
>>> ktadd changes the key.
>
>> I am: dumbfounded.
>
>> Dare I ask if there was a reason for this decision? Other than
>> causing
>> me grief, of course.
>
> Keytabs are normally not supposed to be shared between multiple
> machines,
> and this approach means that kadmind doesn't need to have the
> capability
> of retrieving keys from the KDC, which is an additional separation of
> capability and an additional level of security.
>
>
It also makes sense on another level:
Since you shouldn't really have multiple copies of the same keytab out
and about (instead you should have multiple individual keys to which
you have given similar access rights), the main reason you would re-run
ktadd on a princ is if you thought the old copy had been compromised
and you want to replace it with a new, presumably secure, iteration.
In that case, you DEFINITELY want to change the version of the key in
the KDC, so that any compromised copies are obsolete.
If you REALLY want to have the same key copied around to multiple
keytabs, then you should familiarize yourself with ktutil (but, be very
careful with hit, as it can easily corrupt a keytab if you don't
understand how it works). You can use it to extract a key from a
keytab into a file, or add a key from a file into a keytab, or delete
keys from a keytab, or translate a k5 keytab into a k4 keytab (and visa
versa). But, you will have to copy the file containing your key to the
other hosts through other channels (kerberized rcp with -x being a good
one).