Skip to content
/ krb-rekey Public

automatic rekeying of kerberos service princpals

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cg2v/krb-rekey

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

217 Commits
.github/workflows
.github/workflows
 
 
lib
lib
 
 
m4
m4
 
 
snippet
snippet
 
 
.gitignore
.gitignore
 
 
Makefile.am
Makefile.am
 
 
PSMakefile
PSMakefile
 
 
PSMakefile.MW
PSMakefile.MW
 
 
README.md
README.md
 
 
SMakefile
SMakefile
 
 
acl.c
acl.c
 
 
admin_file.c
admin_file.c
 
 
admin_ldapgroups-std.c
admin_ldapgroups-std.c
 
 
age_keytab.c
age_keytab.c
 
 
age_keytab.pod
age_keytab.pod
 
 
autogen
autogen
 
 
cltlib.c
cltlib.c
 
 
configure.ac
configure.ac
 
 
depot.conf
depot.conf
 
 
dhp1024.pem
dhp1024.pem
 
 
dhp2048.pem
dhp2048.pem
 
 
dhp3072.pem
dhp3072.pem
 
 
dhp4096.pem
dhp4096.pem
 
 
dhp512.pem
dhp512.pem
 
 
dhp7680.pem
dhp7680.pem
 
 
getnewkeys.c
getnewkeys.c
 
 
getnewkeys.pod
getnewkeys.pod
 
 
iana.txt
iana.txt
 
 
krb5_portability.h
krb5_portability.h
 
 
memmgt.c
memmgt.c
 
 
memmgt.h
memmgt.h
 
 
oldlib.c
oldlib.c
 
 
protocol.h
protocol.h
 
 
rekey-locl.h
rekey-locl.h
 
 
rekey.socket
rekey.socket
 
 
rekey.spec
rekey.spec
 
 
rekey.sql
rekey.sql
 
 
[email protected]
[email protected]
 
 
rekeyclt-locl.h
rekeyclt-locl.h
 
 
rekeyclt.c
rekeyclt.c
 
 
rekeylib.c
rekeylib.c
 
 
rekeymgr.pod
rekeymgr.pod
 
 
rekeysrv-locl.h
rekeysrv-locl.h
 
 
rekeysrv.pod
rekeysrv.pod
 
 
rekeytest.c
rekeytest.c
 
 
sqlembed.pl
sqlembed.pl
 
 
srvmain.c
srvmain.c
 
 
srvnet.c
srvnet.c
 
 
srvops.c
srvops.c
 
 
srvutil.c
srvutil.c
 
 
test_acls
test_acls
 
 
try_acl.c
try_acl.c
 
 
update-kerberos-keys
update-kerberos-keys
 
 

Repository files navigation

Key management for kerberos service principals

This software allows for automatic rekeying of kerberos service princpals1, even if they are shared. It also includes functionality for initial keying (or key resets) of non-shared principals with random keys.

The software attempts to achieve perfect forward secrecy by encrypting with TLS (DH or ECDH. RSA ciphersuites and server certificates are not used), and then authenticating the connection using GSSAPI and channel bindings. The channel bindings do not formally conform to RFC5056, RFC5554, or RFC5929, but are intended to be equivalent to tls-unique, with each side sending a MIC of the finished messages obtained from openssl2.

There is not any operational documentation beyond the manpage. Please contact [email protected] or open an issue if you want help setting this up at your site.

The LDAP authorzation mechanisms are tailored to specific Carnegie Mellon LDAP systems and would require adaptation to use elsewhere. There is a simple file based authorization mechanism that is more general

1: Principals which are used only as servers, and never as clients

2: Session resumption is disabled, and RSA ciphersuites were never supported, so this protocol should not be vulnerable to triple handshake attacks.

About

automatic rekeying of kerberos service princpals

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

14 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages