Removing old keys
Nicolas Williams
Nicolas.Williams at oracle.com
Mon Sep 20 19:36:35 EDT 2010
On Mon, Sep 20, 2010 at 04:28:18PM -0700, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
>
> > Also, the kadmin client could delete old keys from keytabs
> > automatically, specifically removing keys whose kvnos are not listed as
> > valid by kadmind.
>
> You only want to do that if the maximum ticket lifetime has passed.
Of course. The idea is to set the kvno differential, principal re-key
interval, and ticket lifetime options so that you don't leave users with
not-yet-expired tickets encrypted in keys that are nowhere to be found.
Preferably the system should not let you shoot your foot off this way.
(And I really wish that the krb5 GSS mech allowed for multiple security
context token round-trips as a way to recover from recoverable errors,
such as having a ticket with an old kvno and needing to do user-to-user
authentication. But I digress.)
The point is: an automatic feature is easier to use than a manual one,
particularly if you'd be pressed to automate the manual one (which I
think we can agree, sites would). Why do something only half-way? Is
this a sysadmin employment project? :) :)
Nico
--
More information about the krbdev
mailing list