[39265] in Kerberos
Re: How to rekey kadmin/history
daemon@ATHENA.MIT.EDU (Mike via Kerberos)
Mon Oct 9 18:33:45 2023
Message-ID: <55ca3c6f-e1b1-26c4-c4e7-af09fba8fe22@csits.net>
Date: Mon, 9 Oct 2023 23:30:32 +0100
MIME-Version: 1.0
Content-Language: en-GB
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
In-Reply-To: <202310071703.397H32cD031876@hedwig.cmf.nrl.navy.mil>
From: Mike via Kerberos <kerberos@mit.edu>
Reply-To: Mike <kerberos@norgie.net>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 07/10/2023 18:03, Ken Hornstein wrote:
>> In a similar vien to my previous communication, I've found myself trying
>> to update my principles from 3DES to AES. While this was successful for
>> the most part, one of the issues that evades me is the correct way to
>> rekey kadmin/history, as it seems the usual process doesn't work.
>> Please could someone advise, as I haven't been able to find the Google
>> foo.
>
> The official documentation has the answer:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html#updating-history-key
>
> Basically you run "cpw -randkey kadmin/history". There's no proper
> rollover support, unfortunately; all stored old keys get invalidated.
> My memory of the code is that the old keys will stick around in the
> database until the principal changes it's password.
>
> --Ken
Thanks Ken,
That did it. Basically I was missing out -randkey and getting:
"change_password: Cannot change protected principal while changing
password for "kadmin/history"
Now I get it!
Thanks again,
Mike.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos