questions regarding master key enctype migration

Ken Raeburn raeburn at MIT.EDU
Tue Mar 11 02:06:31 EDT 2008

On Mar 11, 2008, at 00:06, Will Fiveash wrote:
> One thing I wonder about given the above is whether it is  
> reasonable to
> allow kprop (or the Solaris iprop) to update the KDCs stash file  
> (if it
> exists) with the new current mkey in the K/M princ entry assuming  
> it can
> determine that the K/M princ's mkey is newer.  Thoughts?

I don't see why something like that wouldn't be reasonable, when  
using a db2 or similar back end where we manage the propagation.   
Adding a new key is easy.  We might want to be more careful about  
removing old keys that have been purged, but if we keep the database  
consistent on the master, that should still never break things.

We probably want the ability to do something like that on the master  
KDC, though perhaps invoking it should be a manual process.  Maybe a  
kdb5_util command invoked directly or via kpropd/ipropd?


More information about the krbdev mailing list