Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

upgrading from krb5-1.0b6 to krb5-1.2.5

2 views
Skip to first unread message

Art Freeman

unread,
Aug 3, 2002, 10:23:36 PM8/3/02
to
I've inherited an old krb5-1.0b6 database without the master key. Is there
anyway to load the principles (and keys) from the 1.0b6 database to 1.2.5
database without the master key of the old database? Thanks in advance for
the help.


Sam Hartman

unread,
Aug 4, 2002, 2:50:42 PM8/4/02
to
>>>>> "Art" == Art Freeman <a...@art-freeman.com> writes:

Art> I've inherited an old krb5-1.0b6 database without the master
Art> key. Is there anyway to load the principles (and keys) from
Art> the 1.0b6 database to 1.2.5 database without the master key
Art> of the old database? Thanks in advance for the help.

If you have a stash file then you can probably get things working. If
not, you'd need to crack the DES key or password; that could
potentially be expensive--as much as $100000 or so if the key is good.

________________________________________________
Kerberos mailing list Kerb...@mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos

Art Freeman

unread,
Aug 4, 2002, 4:40:48 PM8/4/02
to
----- Original Message -----
From: "Sam Hartman" <hart...@mit.edu>
To: "Art Freeman" <a...@art-freeman.com>
Cc: <kerb...@mit.edu>
Sent: Sunday, August 04, 2002 2:50 PM
Subject: Re: upgrading from krb5-1.0b6 to krb5-1.2.5


> >>>>> "Art" == Art Freeman <a...@art-freeman.com> writes:
>
> Art> I've inherited an old krb5-1.0b6 database without the master
> Art> key. Is there anyway to load the principles (and keys) from
> Art> the 1.0b6 database to 1.2.5 database without the master key
> Art> of the old database? Thanks in advance for the help.
>
> If you have a stash file then you can probably get things working. If
> not, you'd need to crack the DES key or password; that could
> potentially be expensive--as much as $100000 or so if the key is good.
>

Although there is a stash file krb5_util complains that the key is corrupted
when I try to load the contents of the old database to the new one. By the
way, are there any plans to provide a function to change the database master
key and change the principals appropriately?

Do you have any suggestions as to which DES cracking tools would be useful?
Thanks.

Tom Yu

unread,
Aug 4, 2002, 7:56:30 PM8/4/02
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "art" == Art Freeman <a...@art-freeman.com> writes:

art> Although there is a stash file krb5_util complains that the key
art> is corrupted when I try to load the contents of the old database
art> to the new one.

Are you loading the new database on a machine having the opposite byte
order from the old one? If so, you should know that there are some
integer fields in the stash file that need to be byte-swapped.

art> By the way, are there any plans to provide a function to change
art> the database master key and change the principals appropriately?

Master key change capability exists, but is buggy, in krb5-1.2.5. The
following patch should allow master key change to work:

Index: dump.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/dbutil/dump.c,v
retrieving revision 1.19.2.1
diff -c -r1.19.2.1 dump.c
*** dump.c 2001/01/24 21:48:21 1.19.2.1
- --- dump.c 2002/08/04 23:53:01
***************
*** 255,261 ****
krb5_error_code retval;
krb5_keyblock v5plainkey, *key_ptr;
krb5_keysalt keysalt;
! int i;
krb5_key_data new_key_data, *key_data;
krb5_boolean is_mkey;

- --- 255,261 ----
krb5_error_code retval;
krb5_keyblock v5plainkey, *key_ptr;
krb5_keysalt keysalt;
! int i, j;
krb5_key_data new_key_data, *key_data;
krb5_boolean is_mkey;

***************
*** 284,290 ****
if (retval)
return retval;
krb5_free_keyblock_contents(context, &v5plainkey);
! free(key_data->key_data_contents);
*key_data = new_key_data;
}
return 0;
- --- 284,294 ----
if (retval)
return retval;
krb5_free_keyblock_contents(context, &v5plainkey);
! for (j = 0; j < key_data->key_data_ver; j++) {
! if (key_data->key_data_length[j]) {
! free(key_data->key_data_contents[j]);
! }
! }
*key_data = new_key_data;
}
return 0;


art> Do you have any suggestions as to which DES cracking tools would
art> be useful?

Not really. The fastest DES cracking engine that is publically
acknowledged was built from custom hardware.

- ---Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE9Tb8hSO8fWy4vZo4RAskdAJ0YhwbAr6S5mECdEAJjmTWkOZfWSwCg8ecI
chpenv8j//mX4pTZ3ilpLT8=
=oC97
-----END PGP SIGNATURE-----

Art Freeman

unread,
Aug 4, 2002, 8:57:49 PM8/4/02
to
Tom Yu writes:
tom>>>>>> "art" == Art Freeman <a...@art-freeman.com> writes:

tom>art> Although there is a stash file krb5_util complains that the key
tom>art> is corrupted when I try to load the contents of the old database
tom>art> to the new one.

tom>Are you loading the new database on a machine having the opposite byte
tom>order from the old one? If so, you should know that there are some
tom>integer fields in the stash file that need to be byte-swapped.

I don't believe the endianess is changing. The old database exists on a sun4u (solaris 2.6)
system and the new database is a sun4u (solaris 8) system. I believe that at one time the
the database was migrated from sun4m (sunos 4.x) to sun4u (solaris 2.5.1 or 2.6) but I'm
not certain.

tom>art> By the way, are there any plans to provide a function to change
tom>art> the database master key and change the principals appropriately?

tom>Master key change capability exists, but is buggy, in krb5-1.2.5. The
tom>following patch should allow master key change to work:

Thanks.

tom>art> Do you have any suggestions as to which DES cracking tools would
tom>art> be useful?

tom>Not really. The fastest DES cracking engine that is publically
tom>acknowledged was built from custom hardware.

Ok, but I was referring to a software set of tools.

0 new messages