Removing old keys
Jonathan Reams
jr3074 at columbia.edu
Mon Sep 20 15:31:55 EDT 2010
We're re-keying our principals during our migration to krb5-1.8.3 to take advantage of newer encryption types, and to reduce visibility to the end user, we're using the keepold flag when updating service principals. The problem is that there doesn't appear to be away to prune out the old keys after they expire (the time the password change occurred plus the maximum renewable lifetime of the principal). Is there a mechanism for pruning old keys in the same way that kdb5_util lets you purge old master keys that are no longer being used?
Jonathan Reams
Assoc. Systems Engineer
Columbia University
jreams at columbia.edu
More information about the krbdev
mailing list