Date: Wed, 27 Aug 2025 19:43:57 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Gleb Smirnoff <glebius@freebsd.org> Cc: Cy Schubert <Cy.Schubert@cschubert.com>, freebsd-current@freebsd.org Subject: Re: heimdal -> MIT kdc migration Message-ID: <CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT%2B0gG6bGhME2WNw@mail.gmail.com> In-Reply-To: <aK3iW189fZ2_xSyB@cell.glebi.us> References: <aKwYB4d6l4ze-yXA@cell.glebi.us> <aKxcwqKqW3ZpA3Po@cell.glebi.us> <56dd78c6-a53a-4c4c-989a-335cc5fed405@FreeBSD.org> <CAM5tNy5sNv8z0zW2ZFt%2B9=ytUpjGVudsYbcSC2mQSudi3iWSfQ@mail.gmail.com> <CAM5tNy73KwR-DBqc28bqRPKqW7UqXN7RXYB=p-Za5Lsoy9jFcw@mail.gmail.com> <1578a4eac5402d0496d8989e5258bc78@Leidinger.net> <CAM5tNy42Xvj8M%2Bq4qDO35T31wWLO-2pC9H0_V0rVM2uZmSL2RA@mail.gmail.com> <CAM5tNy5m8tEaivQdC4G-=VNpf3ng6JcdpeJKvxA8oM==OdbMUw@mail.gmail.com> <aK3TQbWXkr_r24sW@cell.glebi.us> <aK3iW189fZ2_xSyB@cell.glebi.us>
index | next in thread | previous in thread | raw e-mail
On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> wrote:
>
> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you get a
> T> R> working Heimdal-7.8 in ports.
> T> R>
> T> R> Now, I have another challenge. Fixing the master passwords.
> T> R> I'll work on it later to-day.
> T>
> T> I have applied two commits from Heimdal from 2012 that add 'kadmin dump -f MIT'
> T> feature to our base heimdal and polished them to compile. So far it doesn't
> T> work yet, either create an empty dump or create a core dump, instead of
> T> database dump :) I'll see how difficult it is going to further resolve that to
> T> a working condition. If I succeed, then having 'dump -f MIT' in base without
> T> any ports would be the best solution. Can also be merged to FreeBSD 14.4.
>
> Good news. In the above paragraph I was testing my change incorrectly - threw
> the new binary on a system running unpatched libraries. When run correctly,
> it successfully produced something that looks like a correct dump in MIT format.
> I haven't yet tried to load it into MIT kdc yet, though.
>
> I will finalize the branch promptly and share it. The above experience also
> indicated that I need to do a library version bump.
I don't know if you are enthusiastic about pursuing this, but hopefully this
works and gets the principals in (although I doubt the passwords will
work without changing them).
To get the passwords to work, I think the following *might* do it:
- If you look in the Heimdal sources, when "--decrypt" is specified,
I think it finds its way down into a function called hdb_unseal_key_mkey()
which decrypts the key using the master key by calling _hdb_mkey_decrypt().
To get the passwords to work, I think the call to _hdb_mkey_decrypt() would
need to be followed by a call to _hdb_mkey_encrypt() with the "key"
argument being the master key for the MIT database. (It it a keytab
entry called /var/db/krb5kdc/.k5.YOUR.REALM created when you do a
"kdb5_util create -s" on the system that will be the MIT KDC.)
- Just to make it even more fun, there is a flag called HDB_KU_MKEY
which is set to the Heimdal way and not for the MIT way (whatever
that really means?).
- There is also some stuff about padding in hdb_unseal_key_mkey(),
but hopefully that won't be a problem?
I think hdb_read_master_key() can be used to read in the MIT master
key from the file you provide as an argument to it.
This all is just a hunch, based on what I've seen so far.
I'll admit since the hardware I have takes forever to "make buildworld"
and I don't know a quick way to build/test these changes, I'm not
inspired to try it.
rick
>
> --
> Gleb Smirnoff
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy6t-gT54u4ox5OyYEWC9wq5COcyuUjT%2B0gG6bGhME2WNw>