Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!lll-winken!unixhub!shelby!ATHENA.MIT.EDU!qjb
From: qjb@ATHENA.MIT.EDU
Newsgroups: comp.protocols.kerberos
Subject: srvtab on client machines
Message-ID: <9103012146.AA27404@soup.MIT.EDU>
Date: 1 Mar 91 21:46:39 GMT
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Lines: 31


>    So, how does Athena distribute srvtab files?
> 
> We send the files over encrypted somehow.  ...

Actually, we often don't bother sending the srvtab over
encrypted at all.  We often simply copy the srvtab into a
protect filesystem and copy it to the machine all in the clear.
Then, once it's there, we run 

krsvutil change

to change the keys via the admin protocol.  This is analogous to
giving a user an initial password and telling him/her to change
it immediately.

As you can imagine, there are quite a number of ways of doing
this.  I wrote a fairly program to generate srvtabs on the
server machine directly via the admin protocol.  The kerberos
admin logs into the server (presumably physically at the
machine), and types his admin password to this client which then
uses the admin protocol to create new principals with random
keys and write them into a srvtab file in the correct format.
This program is not in the kerberos release because I wrote it
after development on kerberos V had already started.  If you are
interested in this utility, feel free to send me personal mail.
(I'm sure that if there is a problem with my giving it away,
someone on this end will tell me so... :-) )

                                Jay Berkenbilt
                                Project Athena