Understanding kvno better

Srinivas Cheruku srinivas.cheruku at gmail.com
Sat Jun 10 01:43:59 EDT 2006

Hi All,

I understand that we need to change Kerberos keys at regular intervals, since it is not recommended to use the same keys for a long amount of time.
When we change keys the kvno is incremented and the old keys are also stored in the Kerberos user repository. 
Can anyone give me a scenario where these old keys are used?

Also, I want a better understanding of kvno and keys usage in the below scenario.

I have a key extracted in my key table file on the server say with kvno 3. The client has got a service ticket with kvno 3. Then, i will change the key and extract the key into the key table file, which will be with kvno 4. Now, i will be having two keys with kvno 3 and kvno 4 in the key table file on the server. 
Since, the client had already got the service ticket with kvno 3, and the latest key in key table file is with kvno 4, what should happen if he tries to access the service? 
Should the service ticket with kvno 3 be accepted by the server? 
Or it should give an error, since the latest key in the key table file is with kvno 4?

I would very much appreciate if you can let me know what should happen in this case.

Thanks and Regards,

More information about the Kerberos mailing list