[16343] in Kerberos_V5_Development
Removing old keys
daemon@ATHENA.MIT.EDU (Jonathan Reams)
Mon Sep 20 15:31:59 2010
From: Jonathan Reams <jr3074@columbia.edu>
Date: Mon, 20 Sep 2010 15:31:55 -0400
Message-Id: <02BD6B97-CF3C-4693-BE07-D703B9DC3C05@columbia.edu>
To: krbdev@mit.edu
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
We're re-keying our principals during our migration to krb5-1.8.3 to take advantage of newer encryption types, and to reduce visibility to the end user, we're using the keepold flag when updating service principals. The problem is that there doesn't appear to be away to prune out the old keys after they expire (the time the password change occurred plus the maximum renewable lifetime of the principal). Is there a mechanism for pruning old keys in the same way that kdb5_util lets you purge old master keys that are no longer being used?
Jonathan Reams
Assoc. Systems Engineer
Columbia University
jreams@columbia.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
