Question related to keytab entries upgrade

Greg Hudson ghudson at MIT.EDU
Thu Jan 24 15:28:25 EST 2013

On 01/23/2013 05:20 PM, Matthieu Hautreux wrote:
> after some work and evaluation, you will find enclosed a set of patches
> against the main branch of MIT krb5 to add the support for client side
> principals hot-rekeying removing the race window discussed in this thread.

At the moment, I am more partial to a design using a server kvno
attribute in the DB entry.  It's significantly more work, but (1)
because keys would still be generated within kadmind, it finesses the
issue of setkey permissions; and (2) it would allow kinit -k to continue
to work without requiring the client code to retry with multiple key

More information about the krbdev mailing list