[PATCH] Wallet: recreate keytab on rekey

Ross Smith rjsm at umich.edu
Mon Apr 1 15:01:22 EDT 2013


This patch implements an option to have keytabs destroyed and
recreated when they are rekeyed.  This add the configuration directive
KEYTAB_REPLACE to the wallet configuration.  It uses the existing
functions to destroy and create the keytab.

Our use case for this behavior is based on a requirement we have to
keep the kvno of our deployed keytabs constant.

This patch should apply cleanly to the released 1.0 version of wallet.

Ross Smith <rjsm at umich.edu>

-------------------------------------------------------------------------------------------

diff --git a/perl/Wallet/Kadmin/MIT.pm b/perl/Wallet/Kadmin/MIT.pm
index c191bc9..52720e5 100644
--- a/perl/Wallet/Kadmin/MIT.pm
+++ b/perl/Wallet/Kadmin/MIT.pm
@@ -187,11 +187,15 @@ sub keytab_rekey {
         $self->error ("invalid principal name: $principal");
         return;
     }
+    if ($Wallet::Config::KEYTAB_REPLACE) {
+        $self->destroy($principal);
+        $self->create($principal);
+    }
     if ($Wallet::Config::KEYTAB_REALM) {
         $principal .= '@' . $Wallet::Config::KEYTAB_REALM;
     }
     my $file = $Wallet::Config::KEYTAB_TMP . "/keytab.$$";
     unlink $file;
     my $command = "ktadd -q -k $file";
     if (@enctypes) {
         @enctypes = map { /:/ ? $_ : "$_:normal" } @enctypes;


More information about the Kerberos mailing list