Ticket 5338: Race conditions in key rotation

Roland Dowdeswell elric at imrryr.org
Tue Jun 24 13:56:20 EDT 2008

On 1214327076 seconds since the Beginning of the UNIX epoch
"Henry B. Hotz" wrote:

>> Incremental propagation does not solve race conditions.  It just
>> makes one runner a little faster but the underlying issue still
>> exists.
>> I'm not convinced that I would like to have a multi-master scheme,
>> it seems that it would add complexity for little additional value.
>As a practical matter incremental propagation (a la Heimdal, sorry)  
>makes these issues moot, as long as it's reliable enough.  If it  
>fails, it should most likely to be due to a network problem, which is  
>exactly what the slave is there to mitigate in my case.  I would  
>imagine there are other institutions where you might want a  
>fail_if_stale threshold on a slave.

An example of a case which incremental propagation does not not
mitigate is changing your TGS key if you round robin between KDCs
in a random order.  If you get kvno 7 from the first slave and then
present it to another slave which has only kvno 6 then you will
get a failure.  A lot of environments will use the TGT immediately
after it is obtained in order to get AFS tokens.  So, your window
is a few milliseconds.

>Fail-to-master seems reasonable, but it seems like mitigation rather  
>than solution.

You can prove that failing to the master would solve the race as
long as the master is available pretty trivially.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

More information about the krbdev mailing list