The destructive re-keying problem
nico at cryptonector.com
Fri Mar 7 16:37:27 EST 2014
On Fri, Mar 7, 2014 at 2:45 PM, Greg Hudson <ghudson at mit.edu> wrote:
> We've been asked to take a look into automatically invalidating cached
> service tickets after a server is destructively re-keyed (e.g. if the
> server is completely re-provisioned and does not retain its old keytab).
> I did an initial writeup here:
Clients will still see failures. They'll just be able to recover if
the application retries.
We should try to do a bit better. There are two ways in which we can
improve things: on the client side, and on the server side:
- On the client side, multi-round trip mechanism enhancements would
allow the mechanism to recover with no evident failures.
- On the server side the KDC could allow old keys to be extracted
under certain circumstances, namely a) when the host principal was
marked for this purpose, b) suitable bootstrap credentials are used,
c) new keys are set, d) only old keys for which unexpired tickets
might still be floating around are extracted.
I'd be in favor of both.
More information about the krbdev