[39260] in Kerberos
Re: How to rekey kadmin/history
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Sat Oct 7 13:05:08 2023
Message-ID: <202310071703.397H32cD031876@hedwig.cmf.nrl.navy.mil>
To: Mike <kerberos@norgie.net>
cc: kerberos@mit.edu
In-Reply-To: <ZSExJFGjyAMYAGGw@lightning.iz.norgie.net>
MIME-Version: 1.0
Date: Sat, 07 Oct 2023 13:03:02 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>In a similar vien to my previous communication, I've found myself trying
>to update my principles from 3DES to AES. While this was successful for
>the most part, one of the issues that evades me is the correct way to
>rekey kadmin/history, as it seems the usual process doesn't work.
>Please could someone advise, as I haven't been able to find the Google
>foo.
The official documentation has the answer:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-history-key
Basically you run "cpw -randkey kadmin/history". There's no proper
rollover support, unfortunately; all stored old keys get invalidated.
My memory of the code is that the old keys will stick around in the
database until the principal changes it's password.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
