more ldap concerns
Nicolas Williams
Nicolas.Williams at Sun.COM
Wed Jun 7 19:57:42 EDT 2006
On Wed, Jun 07, 2006 at 07:46:57PM -0400, Jeffrey Hutzelman wrote:
> > Why are the old keys still around?
>
> Because the TGS is an unusual service, in that instead of finding its
> service keys in a keytab, it reads them directly from the KDB. So, if
> changing the TGS's key in the KDB caused the old keys to go away, it
> wouldn't be able to find them any more, and you'd have just invalidated
> every outstanding TGT.
>
> Of course, if invalidating previously-issued TGT's is your goal, then you
> should remove the old keys explicitly.
Agreed. But UI-wise this is no good.
There should be a note about the old keys being retained even though
-keepold wasn't used and an option should be provided to destroy the old
keys anyways...
...OR there should be a prompt if -keepold wasn't used when randkeying a
krbtgt principal.
Or something like that.
Nico
--
More information about the krbdev
mailing list