[krbdev.mit.edu #5339] race in normal service key rotation.
Public Submitter via RT
rt-comment at krbdev.mit.edu
Sat Jan 13 02:07:23 EST 2007
There's also a race in normal service key rotation. Observed by
thinking about the code. This is less severe than: 5338 (which I just
filed) but still should be fixed.
When you use ktadd via kadmin:
1. the interface provides a WO interface to the Kerberos DB,
2. the KDC updates its database to have the new key,
3. the KDC tells you what the new key is,
4. you install the new key in your keytab.
If a client beats you between steps 2 and 4 then it will have a fatal
error (for any reason, including network lossage, kadmin client crash, etc.)
The solution to this is to write your own key rotation program which
sets the password over kadmin AFTER you update your keytab.
More information about the krb5-bugs
mailing list