Re: [DSA 1571-1] Heimdal
On Thu, May 15, 2008 at 07:53:21AM -0700, Russ Allbery wrote:
> Guido Günther <agx@sigxcpu.org> writes:
> > On Thu, May 15, 2008 at 03:33:41PM +1000, Brian May wrote:
>
> >> Apparently, Heimdal in Debian also is affected. I am not aware of any
> >> solution other then to manually regenerate all keys.
>
> > Could you give some details here? Password based principals aren't
> > affected?
>
> Password-based principals are not affected. No randomness is used in
> generating those keys; the secure material is the password itself, which
> is run through a hash algorithm. Only randomly generated keys (generally
> the keys you put into keytabs, but also randomized user principals if you
> have any) are affected.
O.k., that's what I thought.
> > For those using a keytabs "ktutil -k <keytab> change; ktutil -k purge
> > --age=<short>" is sufficient?
>
> That looks right to me, although take that with a grain of salt since I
> use MIT personally and am not that familiar with the Heimdal ktutil
> command syntax.
Just for completeness: Heimdal also generates these by default:
kadmin/admin
kadmin/hprop
kadmin/changepw
changepw/kerberos
krbtgt/YOUREALM.FOO
If I understand things correctly these must be updated too although they
don't necessarily correspond to an exported keytab. This can be done
using "cpw -r <principal>" within kadmin.
Thanks again for the explanation.
Cheers,
-- Guido
Reply to: