On Thu, Jun 23, 2005 at 10:23:24AM -0400, Ken Hornstein wrote: > >I did a little digging but was unable to determine if it was possible to > >change the master_key_type kdc.conf parameter to another enctype and > >then modify an existing principal DB to protect the existing principal > >keys using the new master key. If this is possible, how does one go > >about it? > > I tried it once. It turns out there are a number of barriers: > > - There's no tool to do it. > - If you write a tool, you will discover that the master key enctype is > (inexplicitly) used as the enctype for the history key. > > At that point I gave up, but there may be more problems.
Yeah, I played around with kdb5_util and came to the same point. It would be a nice enhancement to provide a simple way to modify a master key's enctype to a stronger enctype and allow migration of the princ. DB (and deal with any propagation issues). -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
