Administering the Kerberos Server
Stashing the Master Key
Chapter 8 233
Stashing the Master Key
The kdb_stash utility stores the master key, the encrypted master
password, to a stash file. This utility runs on the primary and secondary
security servers. Use the kdb_stash utility to store the master key in a
stash file. You must specify the same key type and master password that
you specified when you created the database.
NOTE If you have used the kdb_create -s utility while creating your
database, you already have a stash file.
If you store the password in a disk file, it may allow an intruder to gain
access to the principal database. Therefore, secure the file carefully.
The general syntax for stashing the master key is as follows:
kdb_stash [-e enctype] [-f keyfile] [-M mkeyname] [-r REALM]
The kdb_stash utility uses the following options:
-e enctype Specifies the encryption type to be used to generate the
master key. The type you specify must be the same as
the type you specified while creating the database.
Following are the encryption types that are supported:
• 3DES or 5: DES-CBC-MD5 (default)
• DES-MD5 or 3: DES-CBC-MD5
• DES-CRC or 1: DES-CBC-CRC
-f keyfile Stashes the key in an alternate key file named
keyfile. If you do not use the -f switch, the default
keyfile is .k5.REALM.
-M mkeyname Specifies an alternate for the primary principal name.
The default primary principal name is K/M@REALM.
-r REALM Stashes the principal database key for the realm
REALM. By default, kdb_stash uses the realm defined in
the krb.conf file. If the file does not exist, the
command uses the uppercase equivalent of the domain
name.
