On Thu, May 15, 2008 at 07:53:21AM -0700, Russ Allbery wrote: > Guido Günther <[EMAIL PROTECTED]> writes: > > On Thu, May 15, 2008 at 03:33:41PM +1000, Brian May wrote: > > >> Apparently, Heimdal in Debian also is affected. I am not aware of any > >> solution other then to manually regenerate all keys. > > > Could you give some details here? Password based principals aren't > > affected? > > Password-based principals are not affected. No randomness is used in > generating those keys; the secure material is the password itself, which > is run through a hash algorithm. Only randomly generated keys (generally > the keys you put into keytabs, but also randomized user principals if you > have any) are affected. O.k., that's what I thought.
> > For those using a keytabs "ktutil -k <keytab> change; ktutil -k purge > > --age=<short>" is sufficient? > > That looks right to me, although take that with a grain of salt since I > use MIT personally and am not that familiar with the Heimdal ktutil > command syntax. Just for completeness: Heimdal also generates these by default: kadmin/admin kadmin/hprop kadmin/changepw changepw/kerberos krbtgt/YOUREALM.FOO If I understand things correctly these must be updated too although they don't necessarily correspond to an exported keytab. This can be done using "cpw -r <principal>" within kadmin. Thanks again for the explanation. Cheers, -- Guido -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
