Ticket 5338: Race conditions in key rotation
Roland Dowdeswell
elric at imrryr.org
Tue Jun 24 13:56:20 EDT 2008
On 1214327076 seconds since the Beginning of the UNIX epoch
"Henry B. Hotz" wrote:
>
>> Incremental propagation does not solve race conditions. It just
>> makes one runner a little faster but the underlying issue still
>> exists.
>>
>> I'm not convinced that I would like to have a multi-master scheme,
>> it seems that it would add complexity for little additional value.
>
>As a practical matter incremental propagation (a la Heimdal, sorry)
>makes these issues moot, as long as it's reliable enough. If it
>fails, it should most likely to be due to a network problem, which is
>exactly what the slave is there to mitigate in my case. I would
>imagine there are other institutions where you might want a
>fail_if_stale threshold on a slave.
An example of a case which incremental propagation does not not
mitigate is changing your TGS key if you round robin between KDCs
in a random order. If you get kvno 7 from the first slave and then
present it to another slave which has only kvno 6 then you will
get a failure. A lot of environments will use the TGT immediately
after it is obtained in order to get AFS tokens. So, your window
is a few milliseconds.
>Fail-to-master seems reasonable, but it seems like mitigation rather
>than solution.
You can prove that failing to the master would solve the race as
long as the master is available pretty trivially.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krbdev
mailing list