Removing old keys
Greg Hudson
ghudson at MIT.EDU
Mon Sep 20 15:50:05 EDT 2010
On Mon, 2010-09-20 at 15:31 -0400, Jonathan Reams wrote:
> We're re-keying our principals during our migration to krb5-1.8.3 to
> take advantage of newer encryption types, and to reduce visibility to
> the end user, we're using the keepold flag when updating service
> principals. The problem is that there doesn't appear to be away to
> prune out the old keys after they expire (the time the password change
> occurred plus the maximum renewable lifetime of the principal). Is
> there a mechanism for pruning old keys in the same way that kdb5_util
> lets you purge old master keys that are no longer being used?
To the best of my understanding, there is not, short of dumpfile
editing. This is a long-standing shortcoming in the kadmin system,
which we simply haven't gotten around to correcting.
More information about the krbdev
mailing list