upgrade the inter-realm trust key to AES
Rick van Rein
rick at openfortress.nl
Wed May 27 10:02:15 EDT 2015
List,
> I would like to upgrade my inter-realm trust key from DES to AES.
I've always wondered...
Those descriptions that explain that we need a ticket krbtgt/A at B to
allow clients in realm B to access services in realm A (right?) seem to
forget about one thing, namely to avoid failures authenticating.
In any live setup, I would first setup the service-side KDCs,
krbtgt/A at B on the KDC for A
krbtgt/B at A on the KDC for B
and only after the dust on that has settled (replication and such) I
would trust myself to add the tickets to the client-side KDCs,
krbtgt/A at B on the KDC for B
krbtgt/B at A on the KDC for A
Likewise, to remove an older krbtgt, I'd want to first remove the
client-side KDC entry, see to it that all replicas are gone, and then
wait for one longest ticket time, and only then remove the service-side
KDC entry.
I didn't see that documented anywhere, though it seems to be the one
sane approach to avoid interruptions to the authentication services. Right?
(Not sure if this is on-topic, sorry... changing the keys available may
not be the same as setting up fresh crossover trust.)
Cheers,
-Rick
More information about the Kerberos
mailing list