[krbdev.mit.edu #6359] new multi-masterkey support doesn't work well when system clock is set back
william.fiveash@sun.com via RT
rt-comment at krbdev.mit.edu
Tue Feb 3 11:59:20 EST 2009
On Tue, Feb 03, 2009 at 04:15:19AM +0000, Nicolas Williams via RT wrote:
> On Tue, Feb 03, 2009 at 01:43:39AM +0000, william.fiveash at sun.com via RT wrote:
> > If the system clock on a KDC is set back in time after a mkey is
> > activated "now" or if the admin sets the active time for all existing
> > mkeys in the future it is possible that the code will not find any mkey
> > active. This is a problem as there should always be one "active" mkey
> > used to protect principal keys. I'd like to address this by making
> > several changes including:
>
> Can't the active key be marked in the principal's record via TL data?
See: http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
More information about the krb5-bugs
mailing list