Rekeying krbtgt and the behaviour of SSH and delegated credentials

Greg Hudson ghudson at
Mon Dec 5 12:01:25 EST 2016

On 12/03/2016 10:59 PM, John Devitofranceschi wrote:
> We ran into this recently and found that renewed tickets were also unusable. They could not even be renewed. Our KDC is 1.13.2.

Thanks.  In hindsight, this bug manifesting with renewed as well as
forwarded tickets should have been obvious as they are both ticket
modification requests, but I hadn't made the connection.

I have submitted a PR to add a regression test case for renewing across
krbtgt rekeys, and another PR to add caveats to the "Changing the krbtgt
key" documentation as you suggested (for this problem and for ).

More information about the Kerberos mailing list