upgrading from krb5-1.0b6 to krb5-1.2.5

upgrading from krb5-1.0b6 to krb5-1.2.5

Post by Art Freema » Mon, 05 Aug 2002 11:23:36



I've inherited an old krb5-1.0b6 database without the master key.  Is there
anyway to load the principles (and keys) from the 1.0b6 database to 1.2.5
database without the master key of the old database?  Thanks in advance for
the help.
 
 
 

upgrading from krb5-1.0b6 to krb5-1.2.5

Post by Sam Hartm » Tue, 06 Aug 2002 03:50:42


    Art> I've inherited an old krb5-1.0b6 database without the master
    Art> key.  Is there anyway to load the principles (and keys) from
    Art> the 1.0b6 database to 1.2.5 database without the master key
    Art> of the old database?  Thanks in advance for the help.

If you have a stash file then you can probably get things working.  If
not, you'd need to crack the DES key or password; that could
potentially be expensive--as much as $100000 or so if the key is good.

________________________________________________

http://mailman.mit.edu/mailman/listinfo/kerberos

 
 
 

upgrading from krb5-1.0b6 to krb5-1.2.5

Post by Art Freema » Tue, 06 Aug 2002 05:40:48


----- Original Message -----



Sent: Sunday, August 04, 2002 2:50 PM
Subject: Re: upgrading from krb5-1.0b6 to krb5-1.2.5


>     Art> I've inherited an old krb5-1.0b6 database without the master
>     Art> key.  Is there anyway to load the principles (and keys) from
>     Art> the 1.0b6 database to 1.2.5 database without the master key
>     Art> of the old database?  Thanks in advance for the help.

> If you have a stash file then you can probably get things working.  If
> not, you'd need to crack the DES key or password; that could
> potentially be expensive--as much as $100000 or so if the key is good.

Although there is a stash file krb5_util complains that the key is corrupted
when I try to load the contents of the old database to the new one.  By the
way, are there any plans to provide a function to change the database master
key and change the principals appropriately?

Do you have any suggestions as to which DES cracking tools would be useful?
Thanks.

________________________________________________

http://mailman.mit.edu/mailman/listinfo/kerberos

 
 
 

upgrading from krb5-1.0b6 to krb5-1.2.5

Post by Tom » Tue, 06 Aug 2002 08:56:30


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

art> Although there is a stash file krb5_util complains that the key
art> is corrupted when I try to load the contents of the old database
art> to the new one.

Are you loading the new database on a machine having the opposite byte
order from the old one?  If so, you should know that there are some
integer fields in the stash file that need to be byte-swapped.

art> By the way, are there any plans to provide a function to change
art> the database master key and change the principals appropriately?

Master key change capability exists, but is buggy, in krb5-1.2.5.  The
following patch should allow master key change to work:

Index: dump.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/dbutil/dump.c,v
retrieving revision 1.19.2.1
diff -c -r1.19.2.1 dump.c
*** dump.c      2001/01/24 21:48:21     1.19.2.1
- --- dump.c    2002/08/04 23:53:01
***************
*** 255,261 ****
      krb5_error_code   retval;
      krb5_keyblock     v5plainkey, *key_ptr;
      krb5_keysalt      keysalt;
!     int             i;
      krb5_key_data     new_key_data, *key_data;
      krb5_boolean      is_mkey;

- --- 255,261 ----
      krb5_error_code   retval;
      krb5_keyblock     v5plainkey, *key_ptr;
      krb5_keysalt      keysalt;
!     int             i, j;
      krb5_key_data     new_key_data, *key_data;
      krb5_boolean      is_mkey;

***************
*** 284,290 ****
        if (retval)
                return retval;
        krb5_free_keyblock_contents(context, &v5plainkey);
!       free(key_data->key_data_contents);
        *key_data = new_key_data;
      }
      return 0;
- --- 284,294 ----
        if (retval)
                return retval;
        krb5_free_keyblock_contents(context, &v5plainkey);
!       for (j = 0; j < key_data->key_data_ver; j++) {
!           if (key_data->key_data_length[j]) {
!               free(key_data->key_data_contents[j]);
!           }
!       }
        *key_data = new_key_data;
      }
      return 0;

art> Do you have any suggestions as to which DES cracking tools would
art> be useful?

Not really.  The fastest DES cracking engine that is publically
acknowledged was built from custom hardware.

- ---Tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE9Tb8hSO8fWy4vZo4RAskdAJ0YhwbAr6S5mECdEAJjmTWkOZfWSwCg8ecI
chpenv8j//mX4pTZ3ilpLT8=
=oC97
-----END PGP SIGNATURE-----
________________________________________________

http://mailman.mit.edu/mailman/listinfo/kerberos

 
 
 

upgrading from krb5-1.0b6 to krb5-1.2.5

Post by Art Freema » Tue, 06 Aug 2002 09:57:49


Quote:Tom Yu writes:


tom>art> Although there is a stash file krb5_util complains that the key
tom>art> is corrupted when I try to load the contents of the old database
tom>art> to the new one.

tom>Are you loading the new database on a machine having the opposite byte
tom>order from the old one?  If so, you should know that there are some
tom>integer fields in the stash file that need to be byte-swapped.

I don't believe the endianess is changing.  The old database exists on a sun4u (solaris 2.6)
system and the new database is a sun4u (solaris 8) system.  I believe that at one time the
the database was migrated from sun4m (sunos 4.x) to sun4u (solaris 2.5.1 or 2.6) but I'm
not certain.

tom>art> By the way, are there any plans to provide a function to change
tom>art> the database master key and change the principals appropriately?

tom>Master key change capability exists, but is buggy, in krb5-1.2.5.  The
tom>following patch should allow master key change to work:

Thanks.

tom>art> Do you have any suggestions as to which DES cracking tools would
tom>art> be useful?

tom>Not really.  The fastest DES cracking engine that is publically
tom>acknowledged was built from custom hardware.

Ok, but I was referring to a software set of tools.  

________________________________________________

http://mailman.mit.edu/mailman/listinfo/kerberos

 
 
 

1. Another problem going from krb5-1.0.6 to krb5-1.1.1

Your kdc.conf file probably doesn't have some of the required entries
in [realms] -> OUR.REALM.COM.  Check it against the examples in the
documentation; if filling in missing fields doesn't fix the problem,
let us know what your kdc.conf does look like.  ("Profile" refers to
the config file overall, not an entry named "profile".)

2. META.SYS

3. 4MB SIMMs in a IIci?

4. Problem with V4 keys in krb5-1.2.5

5. Can't Fly Mach 1.+ in FS2K

6. krb5-1.2.5 is released

7. MYSQL Relation n-m

8. New cygwin patches for krb5-1.3-alpha2 and krb5-current (snapshot)

9. lost stty settings after krb5-1.2 upgrade

10. krb5 v1.2.5 on Mac OSX 10.1.5?

11. krb5 on Solaris 2.5

12. krb5-1.3 is released