Update to the design of the Master Key Migration project

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Sep 25 14:41:58 EDT 2008

>Everything that's highlighted is new: 'randkey' and 'delkeys'
>sub-commands, kvnos in use output line, and modprinc '-use_kvno' option.
>Yes, I realize that 'delkeys' would require a protocol change, so phat
>chance of that.  I can live without 'delkeys'.  (Or can the randkey RPCs
>be twisted to do a don't-add-keys-just-delete-old-keys RPC?  Do we even

You know, from a practical perspective, "delkeys" would be helpful.
Not only would be useful in this case, but I would _love_ the ability
to delete a particular key (based on the enctype) from a principal.
Sample situation - I generate a new host key based on our default enctypes.
I put that on a host, and I discover that I screwed up and put a key
in the keytab that the host's Kerberos implementation cannot support.
It would be wonderful if could delete that key (or otherwise make it
so the KDC would never issue a service ticket for it) without having
to rekey that host.


More information about the krbdev mailing list