[37820] in Kerberos
Re: changing password/keys but still being able to use the old ones
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Dec 22 11:03:13 2016
To: Sorin Manolache <sorinm@gmail.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <532f173d-967f-f3e9-68d0-ae58a0ec5e0d@mit.edu>
Date: Thu, 22 Dec 2016 11:02:58 -0500
MIME-Version: 1.0
In-Reply-To: <40e8f7dc-0fdc-ad68-1aa8-e616a4296a54@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/22/2016 09:15 AM, Sorin Manolache wrote:
[...]
> Therefore, at moment t_2, when the user makes a request to the http
> server, his ticket that uses the kvno 2 keys cannot be validated by the
> service that uses the keytab with the kvno 1 keys.
Yes, this is a known weakness of the current kadmin. I think it was
first reported here:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=5339
It becomes a larger problem with clustered services. We discussed some
possible resolutions in this thread on the krbdev list:
http://mailman.mit.edu/pipermail/krbdev/2013-January/011355.html
In terms of immediate resolution, the only option I know of is to use
Roland's admin system:
http://oskt.secure-endpoints.com/krb5_admin.html
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
