[krbdev.mit.edu #6361] new multi-masterkey support doesn't work well when system clock is set back
william.fiveash@sun.com via RT
rt-comment at krbdev.mit.edu
Wed Feb 4 17:19:18 EST 2009
[william.fiveash at sun.com - Wed Feb 4 17:15:30 2009]:
> If the system clock on a KDC is set back in time after a mkey is
> activated "now" or if the admin sets the active time for all existing
> mkeys in the future it is possible that the code will not find any mkey
> active. This is a problem as there should always be one "active" mkey
> used to protect principal keys. I'd like to address this by making
> several changes including:
>
> - Modify krb5_dbe_find_act_mkey() to return the mkey with the lowest
> KVNO if there are no actkvno entries with a time equal or earlier than
> the current time.
>
> - Modify krb5_dbe_fetch_act_key_list() to return a default actkvno entry
> with time == 0 if there is not actkvno TL data in the mkey princ
> entry. Currently its setting time to the current time but again if
> the clock is set back this could cause problems.
>
> - Remove the code in use_mkey that auto-trims the actkvno list. I
> don't think this is really necessary since the actkvno list will be
> edited when the purge_mkeys command is run.
>
>
- modify kdb5_use_mkey() to error out if the user tries to activate a
mkvno such that there would be no currently active mkey.
More information about the krb5-bugs
mailing list