How to rekey kadmin/history

Ken Hornstein kenh at cmf.nrl.navy.mil
Sat Oct 7 13:03:02 EDT 2023


>In a similar vien to my previous communication, I've found myself trying
>to update my principles from 3DES to AES.  While this was successful for
>the most part, one of the issues that evades me is the correct way to
>rekey kadmin/history, as it seems the usual process doesn't work.
>Please could someone advise, as I haven't been able to find the Google
>foo.

The official documentation has the answer:

	https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-history-key

Basically you run "cpw -randkey kadmin/history".  There's no proper
rollover support, unfortunately; all stored old keys get invalidated.
My memory of the code is that the old keys will stick around in the
database until the principal changes it's password.

--Ken



More information about the Kerberos mailing list