questions regarding master key enctype migration
raeburn at MIT.EDU
Tue Mar 11 02:06:31 EDT 2008
On Mar 11, 2008, at 00:06, Will Fiveash wrote:
> One thing I wonder about given the above is whether it is
> reasonable to
> allow kprop (or the Solaris iprop) to update the KDCs stash file
> (if it
> exists) with the new current mkey in the K/M princ entry assuming
> it can
> determine that the K/M princ's mkey is newer. Thoughts?
I don't see why something like that wouldn't be reasonable, when
using a db2 or similar back end where we manage the propagation.
Adding a new key is easy. We might want to be more careful about
removing old keys that have been purged, but if we keep the database
consistent on the master, that should still never break things.
We probably want the ability to do something like that on the master
KDC, though perhaps invoking it should be a manual process. Maybe a
kdb5_util command invoked directly or via kpropd/ipropd?
More information about the krbdev