Ticket 5338: Race conditions in key rotation
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Jun 18 18:41:27 EDT 2008
Ken Raeburn wrote:
> On Jun 18, 2008, at 17:01, Jeffrey Altman wrote:
>> In order to address this race condition I propose that krb5_send_tgs()
>> be modified to retry against the master KDC whenever there is an
>> error and the error is not one of KRB5_KDC_UNREACH or
>> KRB5_REALM_CANT_RESOLVE.
>
> What's the actual error that would be returned in such a case?
KRB5KRB_ERR_GENERIC with the error text specifying a kvno not found.
> Wouldn't it make sense to do the retry only for one specific error?
I don't think so. I think that any misconfiguration of a slave kdc
should result in the master being asked since the master's response is
going to be definitive.
> A better approach may be to finish up and implement a design that's
> been discussed before, which is to allow creation of a key in the
> database without enabling it for use, and then separately enabling it
> later.
This is absolutely a good long term project but it doesn't help
the clients that are going to be stuck talking to old KDCs.
The retry change is much smaller and doesn't require any server upgrades
or key management process changes to take effect.
I want to see the key rollover management changes but I think
it is an orthogonal problem.
Jeffrey Altman
More information about the krbdev
mailing list