Ticket 5338: Race conditions in key rotation
Ken Raeburn
raeburn at MIT.EDU
Wed Jun 18 17:23:05 EDT 2008
On Jun 18, 2008, at 17:01, Jeffrey Altman wrote:
> In order to address this race condition I propose that krb5_send_tgs()
> be modified to retry against the master KDC whenever there is an
> error and the error is not one of KRB5_KDC_UNREACH or
> KRB5_REALM_CANT_RESOLVE.
What's the actual error that would be returned in such a case?
Wouldn't it make sense to do the retry only for one specific error?
A better approach may be to finish up and implement a design that's
been discussed before, which is to allow creation of a key in the
database without enabling it for use, and then separately enabling it
later. This would also be desirable for services like AFS where you
need to distribute a new key to multiple servers before you can start
using it. (This may also relate, at least a bit, to a project Will
Fiveash is helping us with, on-the-fly master key rollover. There are
enough special things about the master key that it may not be all that
relevant though.) I think there's been some public discussion in
archives somewhere, maybe in the context of set/change pw protocols.
I don't recall if server-side (keytab) changes would be needed as well.
Ken
More information about the krbdev
mailing list