Skip to content
/ krb-rekey Public

automatic rekeying of kerberos service princpals

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cg2v/krb-rekey

1 Branch14 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

cg2vcg2v
Create codeql.yml
May 4, 2024
99bd731 · May 4, 2024

History

217 Commits
.github/workflows
.github/workflows
May 4, 2024
lib
lib
Feb 2, 2016
m4
m4
Jan 8, 2021
snippet
snippet
Nov 24, 2014
.gitignore
.gitignore
Jan 8, 2021
Makefile.am
Makefile.am
May 25, 2022
PSMakefile
PSMakefile
Dec 3, 2019
PSMakefile.MW
PSMakefile.MW
Mar 15, 2013
README.md
README.md
Dec 17, 2015
SMakefile
SMakefile
Jul 29, 2009
acl.c
acl.c
May 25, 2022
admin_file.c
admin_file.c
May 25, 2022
admin_ldapgroups-std.c
admin_ldapgroups-std.c
Dec 7, 2019
age_keytab.c
age_keytab.c
Mar 1, 2013
age_keytab.pod
age_keytab.pod
May 25, 2022
autogen
autogen
Jun 26, 2015
cltlib.c
cltlib.c
May 25, 2022
configure.ac
configure.ac
May 25, 2022
depot.conf
depot.conf
Dec 3, 2019
dhp1024.pem
dhp1024.pem
Feb 2, 2009
dhp2048.pem
dhp2048.pem
Feb 2, 2009
dhp3072.pem
dhp3072.pem
Feb 2, 2009
dhp4096.pem
dhp4096.pem
Feb 2, 2009
dhp512.pem
dhp512.pem
Feb 2, 2009
dhp7680.pem
dhp7680.pem
Feb 2, 2009
getnewkeys.c
getnewkeys.c
May 25, 2022
getnewkeys.pod
getnewkeys.pod
May 25, 2022
iana.txt
iana.txt
Jun 7, 2010
krb5_portability.h
krb5_portability.h
Nov 24, 2014
memmgt.c
memmgt.c
Mar 1, 2013
memmgt.h
memmgt.h
Mar 25, 2009
oldlib.c
oldlib.c
Feb 2, 2009
protocol.h
protocol.h
May 25, 2022
rekey-locl.h
rekey-locl.h
May 25, 2022
rekey.socket
rekey.socket
Dec 9, 2019
rekey.spec
rekey.spec
May 25, 2022
rekey.sql
rekey.sql
Feb 2, 2009
rekey@.service.in
rekey@.service.in
Mar 7, 2022
rekeyclt-locl.h
rekeyclt-locl.h
Aug 15, 2013
rekeyclt.c
rekeyclt.c
May 25, 2022
rekeylib.c
rekeylib.c
Mar 1, 2013
rekeymgr.pod
rekeymgr.pod
May 25, 2022
rekeysrv-locl.h
rekeysrv-locl.h
Dec 3, 2019
rekeysrv.pod
rekeysrv.pod
May 25, 2022
rekeytest.c
rekeytest.c
May 25, 2022
sqlembed.pl
sqlembed.pl
Feb 2, 2009
srvmain.c
srvmain.c
May 25, 2022
srvnet.c
srvnet.c
Jun 29, 2023
srvops.c
srvops.c
May 25, 2022
srvutil.c
srvutil.c
May 25, 2022
test_acls
test_acls
Mar 1, 2013
try_acl.c
try_acl.c
Mar 1, 2013
update-kerberos-keys
update-kerberos-keys
May 25, 2022

Repository files navigation

Key management for kerberos service principals

This software allows for automatic rekeying of kerberos service princpals1, even if they are shared. It also includes functionality for initial keying (or key resets) of non-shared principals with random keys.

The software attempts to achieve perfect forward secrecy by encrypting with TLS (DH or ECDH. RSA ciphersuites and server certificates are not used), and then authenticating the connection using GSSAPI and channel bindings. The channel bindings do not formally conform to RFC5056, RFC5554, or RFC5929, but are intended to be equivalent to tls-unique, with each side sending a MIC of the finished messages obtained from openssl2.

There is not any operational documentation beyond the manpage. Please contact cg2v@andrew.cmu.edu or open an issue if you want help setting this up at your site.

The LDAP authorzation mechanisms are tailored to specific Carnegie Mellon LDAP systems and would require adaptation to use elsewhere. There is a simple file based authorization mechanism that is more general

1: Principals which are used only as servers, and never as clients

2: Session resumption is disabled, and RSA ciphersuites were never supported, so this protocol should not be vulnerable to triple handshake attacks.

About

automatic rekeying of kerberos service princpals

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

14 tags

Packages

No packages published

Contributors 2

Languages