[3161] in Kerberos-V5-bugs
Re: krb5-libs/786: Keytab code should cache last-read key
daemon@ATHENA.MIT.EDU (tytso@MIT.EDU)
Tue Nov 30 15:57:45 1999
Date: Tue, 30 Nov 1999 15:55:54 -0500
Message-Id: <199911302055.PAA04754@trampoline.thunk.org>
To: jik@kamens.brookline.ma.us
Cc: krb5-bugs@MIT.EDU, krb5-unassigned@RT-11.MIT.EDU,
gnats-admin@RT-11.MIT.EDU, krb5-prs@RT-11.MIT.EDU
In-Reply-To: <199911291940.OAA00393@jik2.kamens.brookline.ma.us> (message from
Jonathan Kamens on Mon, 29 Nov 1999 14:40:44 -0500)
From: tytso@MIT.EDU
Date: Mon, 29 Nov 1999 14:40:44 -0500
From: Jonathan Kamens <jik@kamens.brookline.ma.us>
It doesn't really matter if the keytab has changed, since the caching
I implemented checks the key version number of the cached key. That
is, if a new key is issued for the server, then the tickets issued to
clients will use the new key, and therefore they will not match the
cached key, so the keytab file will be read.
Good point, and if a site wants to bump the version number to lock out a
compromised key, it's probably not unreasonable to require that the
adminsitrator kill and restart the application server. (And of course,
none of this applies for servers run out of inetd.)
- Ted
