Ticket 5338: Race conditions in key rotation
elric at imrryr.org
Tue Jun 24 13:56:20 EDT 2008
On 1214327076 seconds since the Beginning of the UNIX epoch
"Henry B. Hotz" wrote:
>> Incremental propagation does not solve race conditions. It just
>> makes one runner a little faster but the underlying issue still
>> I'm not convinced that I would like to have a multi-master scheme,
>> it seems that it would add complexity for little additional value.
>As a practical matter incremental propagation (a la Heimdal, sorry)
>makes these issues moot, as long as it's reliable enough. If it
>fails, it should most likely to be due to a network problem, which is
>exactly what the slave is there to mitigate in my case. I would
>imagine there are other institutions where you might want a
>fail_if_stale threshold on a slave.
An example of a case which incremental propagation does not not
mitigate is changing your TGS key if you round robin between KDCs
in a random order. If you get kvno 7 from the first slave and then
present it to another slave which has only kvno 6 then you will
get a failure. A lot of environments will use the TGT immediately
after it is obtained in order to get AFS tokens. So, your window
is a few milliseconds.
>Fail-to-master seems reasonable, but it seems like mitigation rather
You can prove that failing to the master would solve the race as
long as the master is available pretty trivially.
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krbdev