[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

John Rudd jrudd@ucsc.edu
Tue, 14 Feb 2006 00:22:10 -0800


On Feb 13, 2006, at 11:42 PM, Russ Allbery wrote:

> Adam Megacz <megacz@cs.berkeley.edu> writes:
>> Russ Allbery <rra@stanford.edu> writes:
>
>>> ktadd changes the key.
>
>> I am: dumbfounded.
>
>> Dare I ask if there was a reason for this decision?  Other than 
>> causing
>> me grief, of course.
>
> Keytabs are normally not supposed to be shared between multiple 
> machines,
> and this approach means that kadmind doesn't need to have the 
> capability
> of retrieving keys from the KDC, which is an additional separation of
> capability and an additional level of security.
>
>

It also makes sense on another level:

Since you shouldn't really have multiple copies of the same keytab out 
and about (instead you should have multiple individual keys to which 
you have given similar access rights), the main reason you would re-run 
ktadd on a princ is if you thought the old copy had been compromised 
and you want to replace it with a new, presumably secure, iteration.  
In that case, you DEFINITELY want to change the version of the key in 
the KDC, so that any compromised copies are obsolete.

If you REALLY want to have the same key copied around to multiple 
keytabs, then you should familiarize yourself with ktutil (but, be very 
careful with hit, as it can easily corrupt a keytab if you don't 
understand how it works).  You can use it to extract a key from a 
keytab into a file, or add a key from a file into a keytab, or delete 
keys from a keytab, or translate a k5 keytab into a k4 keytab (and visa 
versa).  But, you will have to copy the file containing your key to the 
other hosts through other channels (kerberized rcp with -x being a good 
one).