upgrade the inter-realm trust key to AES

Rick van Rein rick at openfortress.nl
Wed May 27 10:02:15 EDT 2015

> I would like to upgrade my inter-realm trust key from DES to AES.
I've always wondered...

Those descriptions that explain that we need a ticket krbtgt/A at B to
allow clients in realm B to access services in realm A (right?) seem to
forget about one thing, namely to avoid failures authenticating.

In any live setup, I would first setup the service-side KDCs,

    krbtgt/A at B on the KDC for A
    krbtgt/B at A on the KDC for B

and only after the dust on that has settled (replication and such) I
would trust myself to add the tickets to the client-side KDCs,

    krbtgt/A at B on the KDC for B
    krbtgt/B at A on the KDC for A

Likewise, to remove an older krbtgt, I'd want to first remove the
client-side KDC entry, see to it that all replicas are gone, and then
wait for one longest ticket time, and only then remove the service-side
KDC entry.

I didn't see that documented anywhere, though it seems to be the one
sane approach to avoid interruptions to the authentication services.  Right?

(Not sure if this is on-topic, sorry... changing the keys available may
not be the same as setting up fresh crossover trust.)


More information about the Kerberos mailing list