Understanding kvno better

Jeffrey Hutzelman jhutz at cmu.edu
Sat Jun 10 19:03:32 EDT 2006

On Saturday, June 10, 2006 11:13:59 AM +0530 Srinivas Cheruku 
<srinivas.cheruku at gmail.com> wrote:

> Hi All,
> I understand that we need to change Kerberos keys at regular intervals,
> since it is not recommended to use the same keys for a long amount of
> time. When we change keys the kvno is incremented and the old keys are
> also stored in the Kerberos user repository.  Can anyone give me a
> scenario where these old keys are used?
> Also, I want a better understanding of kvno and keys usage in the below
> scenario.
> I have a key extracted in my key table file on the server say with kvno
> 3. The client has got a service ticket with kvno 3. Then, i will change
> the key and extract the key into the key table file, which will be with
> kvno 4. Now, i will be having two keys with kvno 3 and kvno 4 in the key
> table file on the server.
> Since, the client had already got the service ticket with kvno 3, and the
> latest key in key table file is with kvno 4, what should happen if he
> tries to access the service?  Should the service ticket with kvno 3 be
> accepted by the server?  Or it should give an error, since the latest key
> in the key table file is with kvno 4?

Yes, the service will continue to accept tickets issued with kvno 3. 
However, since the KDC always issues tickets with the latest key version in 
the KDB, no new tickets will be issued with the version 3 key.  Eventually 
all outstanding tickets with that key will have expired, and then you can 
remove the old key from the keytab.  The result is that you've effected a 
key change without disrupting service.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list