[39300] in Kerberos
Re: Removing deprecated keys
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Nov 1 02:15:36 2023
Message-ID: <a6438895-e809-4685-9130-f8f3c4952bd7@mit.edu>
Date: Wed, 1 Nov 2023 02:13:54 -0400
MIME-Version: 1.0
Content-Language: en-US
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>, <kerberos@mit.edu>
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <7e384a59-8a34-3305-f46f-30ea18942b5d@prime.gushi.org>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 10/31/23 21:16, Dan Mahoney (Gushi) wrote:
> We've recently gone through all the hard work of switching off 3des on
> our kdcs and rolling all the things, but one of the things we note is
> that some of our users still have the keys with the old enctypes
> present. Is there a way to delete just those deprecated keys, without
> forcing a password change?
I don't believe we have that feature currently; the closest we have is
the kadmin purgekeys command, but that command (and its associated
libkadm5 RPC) only removes whole key versions.
It would be possible to write a C program using libkdb5 to crawl the
database and remove the desired keys; I can't think of any simpler
approach. I believe common practice is just to force password changes,
or wait until password maximum lifetimes force changes over time.
If you're at the point of not relying on any des3-cbc-sha1 keys, you can
set a permitted_enctypes in [libdefaults] on the KDC that does not
include it (a value of "DEFAULT -des3" should work). Then the KDC will
ignore those keys while continuing to allow the other ones to be used.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
