Understanding kvno better
Markus Moeller
huaraz at moeller.plus.com
Sat Jun 10 05:57:22 EDT 2006
I would say you decide it by either adding key 4 to the keytab and have for
a period two keys in the keytab for just the case you described (no
interuption of service) or you replace key 3 with key 4. In that case a
client with key 3 can't connect. Personally I would use the first option and
probably half the validity time of each key.
Markus
"Srinivas Cheruku" <srinivas.cheruku at gmail.com> wrote in message
news:448A5C1F.2010107 at gmail.com...
> Hi All,
>
> I understand that we need to change Kerberos keys at regular intervals,
> since it is not recommended to use the same keys for a long amount of
> time.
> When we change keys the kvno is incremented and the old keys are also
> stored in the Kerberos user repository.
> Can anyone give me a scenario where these old keys are used?
>
> Also, I want a better understanding of kvno and keys usage in the below
> scenario.
>
> I have a key extracted in my key table file on the server say with kvno 3.
> The client has got a service ticket with kvno 3. Then, i will change the
> key and extract the key into the key table file, which will be with kvno
> 4. Now, i will be having two keys with kvno 3 and kvno 4 in the key table
> file on the server.
>
> Since, the client had already got the service ticket with kvno 3, and the
> latest key in key table file is with kvno 4, what should happen if he
> tries to access the service?
> Should the service ticket with kvno 3 be accepted by the server?
> Or it should give an error, since the latest key in the key table file is
> with kvno 4?
>
> I would very much appreciate if you can let me know what should happen in
> this case.
>
> Thanks and Regards,
> Srini
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list