Ticket 5338: Race conditions in key rotation

Ken Raeburn raeburn at MIT.EDU
Wed Jun 18 17:23:05 EDT 2008

On Jun 18, 2008, at 17:01, Jeffrey Altman wrote:
> In order to address this race condition I propose that krb5_send_tgs()
> be modified to retry against the master KDC whenever there is an
> error and the error is not one of KRB5_KDC_UNREACH or  

What's the actual error that would be returned in such a case?   
Wouldn't it make sense to do the retry only for one specific error?

A better approach may be to finish up and implement a design that's  
been discussed before, which is to allow creation of a key in the  
database without enabling it for use, and then separately enabling it  
later.  This would also be desirable for services like AFS where you  
need to distribute a new key to multiple servers before you can start  
using it.  (This may also relate, at least a bit, to a project Will  
Fiveash is helping us with, on-the-fly master key rollover.  There are  
enough special things about the master key that it may not be all that  
relevant though.)  I think there's been some public discussion in  
archives somewhere, maybe in the context of set/change pw protocols.   
I don't recall if server-side (keytab) changes would be needed as well.


More information about the krbdev mailing list