Art> I've inherited an old krb5-1.0b6 database without the master
Art> key. Is there anyway to load the principles (and keys) from
Art> the 1.0b6 database to 1.2.5 database without the master key
Art> of the old database? Thanks in advance for the help.
If you have a stash file then you can probably get things working. If
not, you'd need to crack the DES key or password; that could
potentially be expensive--as much as $100000 or so if the key is good.
________________________________________________
Kerberos mailing list Kerb...@mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
> >>>>> "Art" == Art Freeman <a...@art-freeman.com> writes:
>
> Art> I've inherited an old krb5-1.0b6 database without the master
> Art> key. Is there anyway to load the principles (and keys) from
> Art> the 1.0b6 database to 1.2.5 database without the master key
> Art> of the old database? Thanks in advance for the help.
>
> If you have a stash file then you can probably get things working. If
> not, you'd need to crack the DES key or password; that could
> potentially be expensive--as much as $100000 or so if the key is good.
>
Although there is a stash file krb5_util complains that the key is corrupted
when I try to load the contents of the old database to the new one. By the
way, are there any plans to provide a function to change the database master
key and change the principals appropriately?
Do you have any suggestions as to which DES cracking tools would be useful?
Thanks.
>>>>> "art" == Art Freeman <a...@art-freeman.com> writes:
art> Although there is a stash file krb5_util complains that the key
art> is corrupted when I try to load the contents of the old database
art> to the new one.
Are you loading the new database on a machine having the opposite byte
order from the old one? If so, you should know that there are some
integer fields in the stash file that need to be byte-swapped.
art> By the way, are there any plans to provide a function to change
art> the database master key and change the principals appropriately?
Master key change capability exists, but is buggy, in krb5-1.2.5. The
following patch should allow master key change to work:
Index: dump.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/dbutil/dump.c,v
retrieving revision 1.19.2.1
diff -c -r1.19.2.1 dump.c
*** dump.c 2001/01/24 21:48:21 1.19.2.1
- --- dump.c 2002/08/04 23:53:01
***************
*** 255,261 ****
krb5_error_code retval;
krb5_keyblock v5plainkey, *key_ptr;
krb5_keysalt keysalt;
! int i;
krb5_key_data new_key_data, *key_data;
krb5_boolean is_mkey;
- --- 255,261 ----
krb5_error_code retval;
krb5_keyblock v5plainkey, *key_ptr;
krb5_keysalt keysalt;
! int i, j;
krb5_key_data new_key_data, *key_data;
krb5_boolean is_mkey;
***************
*** 284,290 ****
if (retval)
return retval;
krb5_free_keyblock_contents(context, &v5plainkey);
! free(key_data->key_data_contents);
*key_data = new_key_data;
}
return 0;
- --- 284,294 ----
if (retval)
return retval;
krb5_free_keyblock_contents(context, &v5plainkey);
! for (j = 0; j < key_data->key_data_ver; j++) {
! if (key_data->key_data_length[j]) {
! free(key_data->key_data_contents[j]);
! }
! }
*key_data = new_key_data;
}
return 0;
art> Do you have any suggestions as to which DES cracking tools would
art> be useful?
Not really. The fastest DES cracking engine that is publically
acknowledged was built from custom hardware.
- ---Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>
iD8DBQE9Tb8hSO8fWy4vZo4RAskdAJ0YhwbAr6S5mECdEAJjmTWkOZfWSwCg8ecI
chpenv8j//mX4pTZ3ilpLT8=
=oC97
-----END PGP SIGNATURE-----
tom>art> Although there is a stash file krb5_util complains that the key
tom>art> is corrupted when I try to load the contents of the old database
tom>art> to the new one.
tom>Are you loading the new database on a machine having the opposite byte
tom>order from the old one? If so, you should know that there are some
tom>integer fields in the stash file that need to be byte-swapped.
I don't believe the endianess is changing. The old database exists on a sun4u (solaris 2.6)
system and the new database is a sun4u (solaris 8) system. I believe that at one time the
the database was migrated from sun4m (sunos 4.x) to sun4u (solaris 2.5.1 or 2.6) but I'm
not certain.
tom>art> By the way, are there any plans to provide a function to change
tom>art> the database master key and change the principals appropriately?
tom>Master key change capability exists, but is buggy, in krb5-1.2.5. The
tom>following patch should allow master key change to work:
Thanks.
tom>art> Do you have any suggestions as to which DES cracking tools would
tom>art> be useful?
tom>Not really. The fastest DES cracking engine that is publically
tom>acknowledged was built from custom hardware.
Ok, but I was referring to a software set of tools.