[PATCH] add support to kadm5 for removing old kvnos

Christopher Allen Wing wingc at engin.umich.edu
Tue Apr 25 12:45:23 EDT 2006

In krb5-1.4.3, there is no way to remove old kvnos for a principal whose 
password was changed using the -keepold option in kadmin.  This is of 
interest when rekeying the TGS key as per the kadmin man page:

 	kadmin:  cpw -randkey -keepold krbtgt/REALM.NAME

I made a patch against 1.4.3 which adds a new kadm5 RPC called 'flushkeys' 
to remove old kvnos.  The patch does the following:

 	1. define FLUSHKEYS_PRINCIPAL kadm5 RPC (#22)

 	2. add kadm5_flushkeys_principal() API to libkadm5clnt and

 	3. hook up support in kadmind, using the 'setkey' ACL permission
 	   (seems reasonable)

 	4. added 'flushkeys' command to kadmin client

 	5. update man pages and documentation

I'm unsure if the patch is too long for this mailing list (561 lines, 18K 
of text); you can get it from here:


I can send it to the list, or break it up into logical pieces and send it 
if that would be better.

Does the patch seem reasonable?  The FLUSHKEYS_PRINCIPAL RPC just removes 
all keys for a principal which are older than the current max kvno.  If 
all keys have the same kvno then it does nothing.

As far as I can guess, this would only be needed for rekeying the TGS key, 
which can be done (with the patch) as follows:

 	kadmin:  cpw -randkey -keepold krbtgt/REALM

(now wait until all previously issued TGTs have expired)

 	kadmin:  flushkeys krbtgt/REALM

(this removes the old kvnos for the TGS key)

All other service principals should be able to be rekeyed by doing a 
regular 'ktadd' and storing the new keys into the application server's 
keytab along with the old kvnos.  The old kvnos shouldn't have to stay in 
the KDC database for any reason, right?

TGS rekeying isn't too common, but it is necessary e.g. when upgrading 
encryption types on an existing krb5 realm.  It would be nice to handle 
this gracefully without hacks like manually editing the old kvnos out of 
the database with a dump.

I can re-do the patch against the latest CVS code if the patch is 
undesirable for 1.4 but would be considered for 1.5.


Chris Wing
wingc at engin.umich.edu

More information about the krbdev mailing list