Subject: can't migrate master key to Heimdal
To: None <tech-crypto@netbsd.org, current-users@netbsd.org>
From: Aidan Cully <aidan@kublai.com>
List: current-users
Date: 07/01/2000 14:58:56
Now that crypto-us is gone, and replaced with the old crypto-intl, I
thought it might be a good time to start experimenting with Heimdal.
So I tried to migrate my old KDC to Heimdal.  gurk.

First: the master_key file is in a different format.  I have to write
a little utility for my local db to rewrite the contents of the
master_key in a format that Heimdal can understand.  Fine, a few
iterations of working out how the interface to encode_EncryptionKey
works go by, and the utility is written.  I've got my master key in
ASN.1 encoding on my hard drive.

Second: Heimdal refuses outright all master keys that aren't enctype
ETYPE_DES_CBC_MD5.  Mine was ETYPE_DES_CBC_CRC.  I haven't dug around
enough to find out if it won't also accept DES_CBC_CRC...  I strongly
suspect that it won't.  The point is: AAARRRGGGHHH!!!
I think, for me, the quickest solution will be a utility to migrate
the principal.db to a different master key.  I've thought for a while
that such a utility was necessary...  I guess it's time to get it out
of the way.  We'll see how things go after that...

The moral is, don't try to migrate your MIT KDCs to Heimdal, yet.  As
far as I can see, there isn't an upgrade path available.

--aidan