Understanding kvno better

Markus Moeller huaraz at moeller.plus.com
Sat Jun 10 05:57:22 EDT 2006

I would say you decide it by either adding key 4 to the keytab and have for 
a period two keys in the keytab for just the case you described (no 
interuption of service) or you replace key 3 with key 4. In that case a 
client with key 3 can't connect. Personally I would use the first option and 
probably half the validity time of each key.


"Srinivas Cheruku" <srinivas.cheruku at gmail.com> wrote in message 
news:448A5C1F.2010107 at gmail.com...
> Hi All,
> I understand that we need to change Kerberos keys at regular intervals, 
> since it is not recommended to use the same keys for a long amount of 
> time.
> When we change keys the kvno is incremented and the old keys are also 
> stored in the Kerberos user repository.
> Can anyone give me a scenario where these old keys are used?
> Also, I want a better understanding of kvno and keys usage in the below 
> scenario.
> I have a key extracted in my key table file on the server say with kvno 3. 
> The client has got a service ticket with kvno 3. Then, i will change the 
> key and extract the key into the key table file, which will be with kvno 
> 4. Now, i will be having two keys with kvno 3 and kvno 4 in the key table 
> file on the server.
> Since, the client had already got the service ticket with kvno 3, and the 
> latest key in key table file is with kvno 4, what should happen if he 
> tries to access the service?
> Should the service ticket with kvno 3 be accepted by the server?
> Or it should give an error, since the latest key in the key table file is 
> with kvno 4?
> I would very much appreciate if you can let me know what should happen in 
> this case.
> Thanks and Regards,
> Srini
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list