client side password store best practices?

Greg Hudson ghudson at MIT.EDU
Tue Aug 9 19:52:38 EDT 2011


On Tue, 2011-08-09 at 19:34 -0400, Chris Hecker wrote:
> I think I'm confused about the kvno, then.  Is that because the KDC will 
> always use the latest kvno, so the code just sends the latest it's got 
> and hopes it works (and if not, it means the keytab needs updating)?

More or less.  You have to know the current key for an AS exchange (that
may not be true for certain kinds of preauth, but it's the general
design) so there's no need for a kvno.

> But, for other kinds of stuff, like decoding tickets from clients, the 
> server checks the kvno since that's what allows tickets older than a 
> recently changed key to still work?

Right.  If a server re-keys while I already have a ticket for it, the
kvno lets the server pick the correct key for my ticket even though it's
not current.





More information about the Kerberos mailing list