Removing deprecated keys

[Greg Hudson]

On 10/31/23 21:16, Dan Mahoney (Gushi) wrote:
> We've recently gone through all the hard work of switching off 3des on 
> our kdcs and rolling all the things, but one of the things we note is 
> that some of our users still have the keys with the old enctypes 
> present.  Is there a way to delete just those deprecated keys, without 
> forcing a password change?

I don't believe we have that feature currently; the closest we have is 
the kadmin purgekeys command, but that command (and its associated 
libkadm5 RPC) only removes whole key versions.

It would be possible to write a C program using libkdb5 to crawl the 
database and remove the desired keys; I can't think of any simpler 
approach.  I believe common practice is just to force password changes, 
or wait until password maximum lifetimes force changes over time.

If you're at the point of not relying on any des3-cbc-sha1 keys, you can 
set a permitted_enctypes in [libdefaults] on the KDC that does not 
include it (a value of "DEFAULT -des3" should work).  Then the KDC will 
ignore those keys while continuing to allow the other ones to be used.