Removing deprecated keys
Greg Hudson
ghudson at mit.edu
Wed Nov 1 02:13:54 EDT 2023
On 10/31/23 21:16, Dan Mahoney (Gushi) wrote:
> We've recently gone through all the hard work of switching off 3des on
> our kdcs and rolling all the things, but one of the things we note is
> that some of our users still have the keys with the old enctypes
> present. Is there a way to delete just those deprecated keys, without
> forcing a password change?
I don't believe we have that feature currently; the closest we have is
the kadmin purgekeys command, but that command (and its associated
libkadm5 RPC) only removes whole key versions.
It would be possible to write a C program using libkdb5 to crawl the
database and remove the desired keys; I can't think of any simpler
approach. I believe common practice is just to force password changes,
or wait until password maximum lifetimes force changes over time.
If you're at the point of not relying on any des3-cbc-sha1 keys, you can
set a permitted_enctypes in [libdefaults] on the KDC that does not
include it (a value of "DEFAULT -des3" should work). Then the KDC will
ignore those keys while continuing to allow the other ones to be used.
More information about the Kerberos
mailing list