How to rekey kadmin/history

Mike kerberos at norgie.net
Mon Oct 9 18:30:32 EDT 2023


On 07/10/2023 18:03, Ken Hornstein wrote:
>> In a similar vien to my previous communication, I've found myself trying
>> to update my principles from 3DES to AES.  While this was successful for
>> the most part, one of the issues that evades me is the correct way to
>> rekey kadmin/history, as it seems the usual process doesn't work.
>> Please could someone advise, as I haven't been able to find the Google
>> foo.
> 
> The official documentation has the answer:
> 
> 	https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-history-key
> 
> Basically you run "cpw -randkey kadmin/history".  There's no proper
> rollover support, unfortunately; all stored old keys get invalidated.
> My memory of the code is that the old keys will stick around in the
> database until the principal changes it's password.
> 
> --Ken

Thanks Ken,

That did it.  Basically I was missing out -randkey and getting:

"change_password: Cannot change protected principal while changing 
password for "kadmin/history"

Now I get it!

Thanks again,
Mike.




More information about the Kerberos mailing list