Re: heimdal -> MIT kdc migration

Reply: Rick Macklem : "Re: heimdal -> MIT kdc migration"
In reply to: Gleb Smirnoff : "Re: heimdal -> MIT kdc migration"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Thu, 28 Aug 2025 02:43:57 UTC

On Tue, Aug 26, 2025 at 9:35 AM Gleb Smirnoff <glebius@freebsd.org> wrote:
>
> On Tue, Aug 26, 2025 at 08:31:13AM -0700, Gleb Smirnoff wrote:
> T> On Tue, Aug 26, 2025 at 08:13:26AM -0700, Rick Macklem wrote:
> T> R> Ok. If you install FreeBSD-13.5 and then "pkg install heimdal", you get a
> T> R> working Heimdal-7.8 in ports.
> T> R>
> T> R> Now, I have another challenge. Fixing the master passwords.
> T> R> I'll work on it later to-day.
> T>
> T> I have applied two commits from Heimdal from 2012 that add 'kadmin dump -f MIT'
> T> feature to our base heimdal and polished them to compile.  So far it doesn't
> T> work yet, either create an empty dump or create a core dump, instead of
> T> database dump :) I'll see how difficult it is going to further resolve that to
> T> a working condition. If I succeed, then having 'dump -f MIT' in base without
> T> any ports would be the best solution.  Can also be merged to FreeBSD 14.4.
>
> Good news.  In the above paragraph I was testing my change incorrectly - threw
> the new binary on a system running unpatched libraries.  When run correctly,
> it successfully produced something that looks like a correct dump in MIT format.
> I haven't yet tried to load it into MIT kdc yet, though.
>
> I will finalize the branch promptly and share it.  The above experience also
> indicated that I need to do a library version bump.
I don't know if you are enthusiastic about pursuing this, but hopefully this
works and gets the principals in (although I doubt the passwords will
work without changing them).

To get the passwords to work, I think the following *might* do it:
- If you look in the Heimdal sources, when "--decrypt" is specified,
  I think it finds its way down into a function called hdb_unseal_key_mkey()
  which decrypts the key using the master key by calling _hdb_mkey_decrypt().
  To get the passwords to work, I think the call to _hdb_mkey_decrypt() would
  need to be followed by a call to _hdb_mkey_encrypt() with the "key"
  argument being the master key for the MIT database. (It it a keytab
  entry called /var/db/krb5kdc/.k5.YOUR.REALM created when you do a
  "kdb5_util create -s" on the system that will be the MIT KDC.)
  - Just to make it even more fun, there is a flag called HDB_KU_MKEY
    which is set to the Heimdal way and not for the MIT way (whatever
    that really means?).
  - There is also some stuff about padding in hdb_unseal_key_mkey(),
    but hopefully that won't be a problem?

I think hdb_read_master_key() can be used to read in the MIT master
key from the file you provide as an argument to it.

This all is just a hunch, based on what I've seen so far.

I'll admit since the hardware I have takes forever to "make buildworld"
and I don't know a quick way to build/test these changes, I'm not
inspired to try it.

rick

>
> --
> Gleb Smirnoff