The destructive re-keying problem

Nico Williams nico at
Fri Mar 7 16:37:27 EST 2014

On Fri, Mar 7, 2014 at 2:45 PM, Greg Hudson <ghudson at> wrote:
> We've been asked to take a look into automatically invalidating cached
> service tickets after a server is destructively re-keyed (e.g. if the
> server is completely re-provisioned and does not retain its old keytab).
> I did an initial writeup here:

Clients will still see failures.  They'll just be able to recover if
the application retries.

We should try to do a bit better.  There are two ways in which we can
improve things: on the client side, and on the server side:

 - On the client side, multi-round trip mechanism enhancements would
allow the mechanism to recover with no evident failures.

 - On the server side the KDC could allow old keys to be extracted
under certain circumstances, namely a) when the host principal was
marked for this purpose, b) suitable bootstrap credentials are used,
c) new keys are set, d) only old keys for which unexpired tickets
might still be floating around are extracted.

I'd be in favor of both.


More information about the krbdev mailing list