Issues with Active Directory <-> MIT x-realm key replacement

Sam Hartman hartmans at MIT.EDU
Wed Dec 8 22:25:51 EST 2010

Your proposed design sounds good to me.

Here are some additional reasons why I think that design will be fine
1) If you want security at the expense of availability, you do not use
the -keepold option on kpasswd.

2) We plan to implement behavior that allows an administrator to purge
old keys. Once that is done your approach wil definitely be fine.  I
think even without this it is fine.


More information about the krbdev mailing list