changing password/keys but still being able to use the old ones

Sorin Manolache sorinm at gmail.com
Thu Dec 22 09:15:26 EST 2016 

Hello,

I have the following use-case:

I have a service principal, HTTP/localhost, and its keys have kvno 1. I 
export the keys in a keytab file that I deploy on the http server.

At time moment t_0, I change the password of my service principal. They 
newly generated keys have kvno 2. I use -keepold in the cpw command, so 
I still have the old keys.

At time moment t_1, a user requests a ticket for the service. The ticket 
uses the new keys, i.e. those with kvno 2.

The new keys are not yet exported in the keytab and not deployed on the 
http server.

Therefore, at moment t_2, when the user makes a request to the http 
server, his ticket that uses the kvno 2 keys cannot be validated by the 
service that uses the keytab with the kvno 1 keys.

Once I export the new keys in a keytab and deploy them on the http 
server at moment t_3 everything is back to normal.

Just that between moments t_0 and t_3 users who fetched tickets after 
t_0 are not allowed to use the service.

What I would like to be able to do would be:

At t_0 I change the password but I instruct the KDC to use the old keys. 
(Either I would be able to tell the KDC which kvno to use or I would be 
able to specify the kvno of the new keys when generating them such that 
they have a kvno inferior to that of the old keys).

At t_3 I export all keys (both old and new) in a keytab that I deploy on 
the http server.

Between t_0 and t_3 users that fetch tickets after t_0 are still allowed 
to use the service because their tickets are encrypted with the old keys.

After t_3 users that fetch tickets after t_0 are still allowed to use 
the service because the old keys with which their tickets are encrypted 
are still present in the keytab deployed on the server.

At t_4, I tell the KDC to use the new keys to encrypt tickets. Either by 
directly specifying the kvno to use or by modifying the kvno of the keys 
generated at t_0. I may even purge the old keys. I think this can be 
done by the modprinc command.

Users fetching tickets after t_4 can use the http service because the 
new keys are now available in the keytab deployed on the service.

Is there a way to achieve that? Namely to specify the kvno when creating 
new keys or to tell the KDC which kvno to use when issuing tickets?

Thank in advance,
Sorin

More information about the Kerberos mailing list