deletion of old keys

Donn Cave donn at
Thu Jun 3 14:59:43 EDT 2004

In article <tsld64gk1nh.fsf at>,
 hartmans at MIT.EDU (Sam Hartman) wrote:

> >>>>> "Lara" == Lara Adianto <m1r4cle_26 at> writes:
>     Lara> Hi, In section 4.1 of RFC 1510, it is mentioned that "When
>     Lara> an application server's key changes, if the change is
>     Lara> routine, the old key should be retained by the server until
>     Lara> all tickets that had been issued using that key have
>     Lara> expired"
> It means in the keytab, not the KDC database.
> There's not currently a way to delete key data from the kdc if you use
> the option to retain old keys.

Which is probably not an issue, right?  I mean, unless
this option is widely used.

If I may elaborate a little (I hope someone will correct
me if this isn't right), a service ticket for your
service is based on the key for that service at the
time the ticket was issued, of course.  Then, for the
rest of its lifetime, it needs to match the key in the
keytab file.  That key is identified by kvno, so it's
possible to retain the old key alongside the new key.
(Assuming MIT or Heimdal Kerberos, not MS.)

The time span during which this is an issue depends on
ticket expiration.  Once that time has elapsed, the
old key may be removed by the system administrator.
Or left in there, doesn't make any difference.

   Donn Cave, donn at

More information about the Kerberos mailing list