Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      User keys are currently stored in the DIT as plaintext keys, for example, in the krb5key. These keys should be encrypted with the server master key. The server master key should be stored in the Eve system partition.

        Activity

        Hide
        Enrique Rodriguez added a comment -

        KDC master keys are typically stored in their own file and protected by filesystem permissions. The KDC master key stash file should provide the option of password protection.

        Show
        Enrique Rodriguez added a comment - KDC master keys are typically stored in their own file and protected by filesystem permissions. The KDC master key stash file should provide the option of password protection.
        Hide
        Emmanuel Lecharny added a comment -

        Let's try to fix this for 2.0

        Show
        Emmanuel Lecharny added a comment - Let's try to fix this for 2.0
        Hide
        Xu Yaning added a comment -

        User's key should be encrypted with server master key before stored in the backend. One problem is that master's is also stored in the backend. To get its own key, master has to decrypt the encrypted key with its key. That's contradictory. Maybe we can store master's key in memory?

        Show
        Xu Yaning added a comment - User's key should be encrypted with server master key before stored in the backend. One problem is that master's is also stored in the backend. To get its own key, master has to decrypt the encrypted key with its key. That's contradictory. Maybe we can store master's key in memory?
        Hide
        Kai Zheng added a comment -

        Hi Xu Yaning, this issue was opened and discussed for the ApacheDS server implementation. If you're actually working for the new Kerberos implementation Kerby, please go to this one DIRKRB-279, thanks.

        Show
        Kai Zheng added a comment - Hi Xu Yaning , this issue was opened and discussed for the ApacheDS server implementation. If you're actually working for the new Kerberos implementation Kerby, please go to this one DIRKRB-279 , thanks.
        Hide
        Xu Yaning added a comment -

        It seems that master is not the krbtgt/Domain@Domain key.

        Show
        Xu Yaning added a comment - It seems that master is not the krbtgt/Domain@Domain key.
        Hide
        Xu Yaning added a comment -

        Okay, thanks

        Show
        Xu Yaning added a comment - Okay, thanks

          People

          • Assignee:
            Enrique Rodriguez
            Reporter:
            Enrique Rodriguez
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Due:
              Created:
              Updated:

              Development