Documentation patch for changing krbtgt
Christopher Allen Wing
wingc at engin.umich.edu
Tue Aug 15 22:31:29 EDT 2006
That seems correct for now; I have a patch to support expiring old keys
here:
http://www-personal.engin.umich.edu/~wingc/mitk5/krb5-1.4.3-flushkeys.patch
I am currently in the process of redoing it for MIT krb5-1.5; I will
extend it so that you can more finely specify which keys should be
removed. (for instance, so that you can remove single-DES keys while
leaving longer keys intact, etc)
I'll post it to the list when I get an opportunity to finish this work.
Thanks,
Chris Wing
wingc at engin.umich.edu
On Tue, 15 Aug 2006, Russ Allbery wrote:
> Following up on a Zephyr discussion, here's a proposed patch to document
> changing the krbtgt key. Did I say anything inaccurate?
>
> Index: admin.texinfo
> ===================================================================
> --- admin.texinfo (revision 18327)
> +++ admin.texinfo (working copy)
> @@ -1401,6 +1401,7 @@
> * Policies::
> * Global Operations on the Kerberos Database::
> * Cross-realm Authentication::
> +* Changing the krbtgt Key::
> @end menu
>
> @node Kadmin Options, Date Format, Administrating the Kerberos Database, Administrating the Kerberos Database
> @@ -2428,7 +2429,7 @@
> This will have to wait until the next release. *sigh*
> @end ignore
>
> - at node Cross-realm Authentication, , Global Operations on the Kerberos Database, Administrating the Kerberos Database
> + at node Cross-realm Authentication, Changing the krbtgt Key, Global Operations on the Kerberos Database, Administrating the Kerberos Database
> @section Cross-realm Authentication
>
> In order for a KDC in one realm to authenticate Kerberos users in a
> @@ -2463,6 +2464,37 @@
> @value{COMPANY} recommends that TGT principal passwords be at least 26
> characters of random ASCII text.
>
> + at node Changing the krbtgt Key, , Cross-realm Authentication, Administrating the Kerberos Database
> + at section Changing the krbtgt Key
> +
> +A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the
> +principal krbtgt/@i{REALM}. The key for this principal is created when
> +the Kerberos database is initialized and need not be changed. However,
> +it will only have the encryption types supported by the KDC at the time
> +of the initial database creation. To allow use of newer encryption
> +types for the TGT, this key has to be changed.
> +
> +Changing this key using the normal @code{kadmin change_password} command
> +would invalidate any previously issued TGTs. Therefore, when changing
> +this key, normally one should use the @b{-keepold} flag to
> + at code{change_password} to retain the previous key in the database as
> +well as the new key. For example:
> +
> + at smallexample
> + at group
> + at b{kadmin:} change_password -randkey -keepold krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
> + at end group
> + at end smallexample
> +
> +There is currently no way to remove the old key without running
> + at code{change_password} without the @b{-keepold} flag (and thereby
> +invalidating all existing TGTs). After issuing this command, the old
> +key is still valid and is still vulnerable to (for instance) brute force
> +attacks. To completely retire an old key or encryption type, it's
> +therefore currently necessary to declare a flag day, run
> + at code{change_password} without the @b{-keepold} flag, and force all
> +users to acquire new tickets.
> +
> @node Application Servers, Backups of Secure Hosts, Administrating the Kerberos Database, Top
> @chapter Application Servers
>
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
More information about the krbdev
mailing list