CCed the security team.
Security-team: Do you think this is a security issue?
I can't remember the point of encrypting the database with the key in
the same directory right now. Maybe it protects against certain types of
mistakes, not sure.
Regards.
Ryan Tandy writes:
> On Tue, Jul 18, 2017
On Tue, Jul 18, 2017 at 05:35:07PM +1000, Brian May wrote:
Does the attached patch look good to you?
Yes, that's exactly what I had in mind. Tested here and looks fine.
Changelog typo: "explicity". Guessing you already spotted it.
The path would also need updating in the heimdal-kdc/password
Ryan Tandy writes:
> A possible solution would be to install the default mkey with an
> explicit 'kstash -k /var/lib/heimdal-kdc/heimdal.mkey' (until the
> default changes again, anyway).
Does the attached patch look good to you?
Do you consider this a security issue? Do we need to investigat
On Sun, 16 Jul 2017 19:10:01 -0700 Ryan Tandy wrote:
I was about to suggest 'kadmin -c /etc/heimdal-kdc/kdc.conf -l stash',
but it seems this also doesn't use DBNAME.mkey as a default! I think
I'll raise that upstream. Not to mention the lack of even a warning when
the mkey file doesn't exist.
Package: heimdal-kdc
Version: 7.4.0.dfsg.1-1
Severity: normal
Dear maintainer,
heimdal-kdc.postinst runs kstash(8) to generate a master key. This key
is written to /var/lib/heimdal-kdc/m-key. However, kadmin(8) and kdc(8)
try to read the master key from /var/lib/heimdal-kdc/heimdal.mkey
(stra
5 matches
Mail list logo
