Keys stored in the Kerberos database are encrypted in the Kerberos master key. The admin server will therefore have to acquire the key before it can perform any key-changing operations, and will have to decrypt and encrypt the keys retrieved from and placed into the database via krb5_db_get_principal and _put_principal. This section describes the internal admin server API that will be used to perform these functions.
krb5_principal master_princ; krb5_encrypt_block master_encblock; krb5_keyblock master_keyblock; void kdc_init_master()
kdc_init_master opens the database and acquires the master key. It also sets the global variables master_princ, master_encblock, and master_keyblock:
#1
).
krb5_error_code kdb_get_entry_and_key(krb5_principal principal, krb5_db_entry *entry, krb5_keyblock *key)
kdb_get_entry_and_key retrieves the named principal's entry from the
database in entry, and decrypts its key into key. The caller must
free entry with krb5_dbm_db_free_principal and free key-contents with
free.3
krb5_error_code kdb_put_entry_pw(krb5_db_entry *entry, char *pw)
kdb_put_entry_pw stores entry in the database. All the entry values
must already be set; this function does not change any of them except
the key. pw, the NULL-terminated password string, is converted to a
key using string-to-key with the salt type specified in
entry-salt_type.4