Removing old keys
Russ Allbery
rra at stanford.edu
Mon Sep 20 15:47:17 EDT 2010
Jonathan Reams <jr3074 at columbia.edu> writes:
> We're re-keying our principals during our migration to krb5-1.8.3 to
> take advantage of newer encryption types, and to reduce visibility to
> the end user, we're using the keepold flag when updating service
> principals. The problem is that there doesn't appear to be away to prune
> out the old keys after they expire (the time the password change
> occurred plus the maximum renewable lifetime of the principal).
Yup, that's correct.
> Is there a mechanism for pruning old keys in the same way that kdb5_util
> lets you purge old master keys that are no longer being used?
Unfortunately, no. You have to do something ugly like dump the database,
edit the dump, and reload the database.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list