Update to the design of the Master Key Migration project
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Sep 25 14:41:58 EDT 2008
>Everything that's highlighted is new: 'randkey' and 'delkeys'
>sub-commands, kvnos in use output line, and modprinc '-use_kvno' option.
>
>Yes, I realize that 'delkeys' would require a protocol change, so phat
>chance of that. I can live without 'delkeys'. (Or can the randkey RPCs
>be twisted to do a don't-add-keys-just-delete-old-keys RPC? Do we even
>care?)
You know, from a practical perspective, "delkeys" would be helpful.
Not only would be useful in this case, but I would _love_ the ability
to delete a particular key (based on the enctype) from a principal.
Sample situation - I generate a new host key based on our default enctypes.
I put that on a host, and I discover that I screwed up and put a key
in the keytab that the host's Kerberos implementation cannot support.
It would be wonderful if could delete that key (or otherwise make it
so the KDC would never issue a service ticket for it) without having
to rekey that host.
--Ken
More information about the krbdev
mailing list