Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      User keys are currently stored in the DIT as plaintext keys, for example, in the krb5key. These keys should be encrypted with the server master key. The server master key should be stored in the Eve system partition.

        Activity

        Hide
        Xu Yaning added a comment -

        Okay, thanks

        Show
        Xu Yaning added a comment - Okay, thanks
        Xu Yaning made changes -
        Comment [ It seems that master is not the krbtgt/Domain@Domain key. ]
        Hide
        Xu Yaning added a comment -

        It seems that master is not the krbtgt/Domain@Domain key.

        Show
        Xu Yaning added a comment - It seems that master is not the krbtgt/Domain@Domain key.
        Hide
        Kai Zheng added a comment -

        Hi Xu Yaning, this issue was opened and discussed for the ApacheDS server implementation. If you're actually working for the new Kerberos implementation Kerby, please go to this one DIRKRB-279, thanks.

        Show
        Kai Zheng added a comment - Hi Xu Yaning , this issue was opened and discussed for the ApacheDS server implementation. If you're actually working for the new Kerberos implementation Kerby, please go to this one DIRKRB-279 , thanks.
        Hide
        Xu Yaning added a comment -

        User's key should be encrypted with server master key before stored in the backend. One problem is that master's is also stored in the backend. To get its own key, master has to decrypt the encrypted key with its key. That's contradictory. Maybe we can store master's key in memory?

        Show
        Xu Yaning added a comment - User's key should be encrypted with server master key before stored in the backend. One problem is that master's is also stored in the backend. To get its own key, master has to decrypt the encrypted key with its key. That's contradictory. Maybe we can store master's key in memory?
        Emmanuel Lecharny made changes -
        Affects Version/s 2.5.0 [ 12313850 ]
        Emmanuel Lecharny made changes -
        Affects Version/s 2.5.0 [ 12313850 ]
        Affects Version/s 2.0.0 [ 12313849 ]
        Emmanuel Lecharny made changes -
        Affects Version/s 2.0.0 [ 12313849 ]
        Affects Version/s 2.0.0-RC2 [ 12315973 ]
        Emmanuel Lecharny made changes -
        Affects Version/s 2.0.0-RC2 [ 12315973 ]
        Affects Version/s 2.0.0-RC1 [ 12315256 ]
        Fix Version/s 2.0.0-RC1 [ 12315256 ]
        Emmanuel Lecharny made changes -
        Fix Version/s 2.0.0-RC1 [ 12315256 ]
        Emmanuel Lecharny made changes -
        Affects Version/s 2.0.0-RC1 [ 12315256 ]
        Christine Koppelt made changes -
        Project Directory ApacheDS [ 12310260 ] Directory Kerberos [ 12310910 ]
        Key DIRSERVER-152 DIRKRB-20
        Component/s kerberos [ 12310716 ]
        Fix Version/s 2.0.0 [ 12312396 ]
        Emmanuel Lecharny made changes -
        Fix Version/s 2.0.0 [ 12312396 ]
        Hide
        Emmanuel Lecharny added a comment -

        Let's try to fix this for 2.0

        Show
        Emmanuel Lecharny added a comment - Let's try to fix this for 2.0
        Hide
        Enrique Rodriguez added a comment -

        KDC master keys are typically stored in their own file and protected by filesystem permissions. The KDC master key stash file should provide the option of password protection.

        Show
        Enrique Rodriguez added a comment - KDC master keys are typically stored in their own file and protected by filesystem permissions. The KDC master key stash file should provide the option of password protection.
        Alex Karasulu made changes -
        Component/s kerberos [ 12310716 ]
        Key DIRKERBEROS-10 DIRSERVER-152
        Component/s Kerberos Protocol Provider [ 11495 ]
        Fix Version/s 0.4.0 [ 11007 ]
        Type Improvement [ 4 ] New Feature [ 2 ]
        Project Directory Kerberos [ 10593 ] ApacheDS [ 12310260 ]
        Alex Karasulu made changes -
        Field Original Value New Value
        Fix Version/s 0.4.0 [ 11007 ]
        Enrique Rodriguez created issue -

          People

          • Assignee:
            Enrique Rodriguez
            Reporter:
            Enrique Rodriguez
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Due:
              Created:
              Updated:

              Development