changing password/keys but still being able to use the old ones
Greg Hudson
ghudson at mit.edu
Thu Dec 22 11:02:58 EST 2016
On 12/22/2016 09:15 AM, Sorin Manolache wrote:
[...]
> Therefore, at moment t_2, when the user makes a request to the http
> server, his ticket that uses the kvno 2 keys cannot be validated by the
> service that uses the keytab with the kvno 1 keys.
Yes, this is a known weakness of the current kadmin. I think it was
first reported here:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=5339
It becomes a larger problem with clustered services. We discussed some
possible resolutions in this thread on the krbdev list:
http://mailman.mit.edu/pipermail/krbdev/2013-January/011355.html
In terms of immediate resolution, the only option I know of is to use
Roland's admin system:
http://oskt.secure-endpoints.com/krb5_admin.html
More information about the Kerberos
mailing list