[16344] in Kerberos_V5_Development
Re: Removing old keys
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 20 15:47:21 2010
From: Russ Allbery <rra@stanford.edu>
To: Jonathan Reams <jr3074@columbia.edu>
In-Reply-To: <02BD6B97-CF3C-4693-BE07-D703B9DC3C05@columbia.edu> (Jonathan
Reams's message of "Mon, 20 Sep 2010 15:31:55 -0400")
Date: Mon, 20 Sep 2010 12:47:17 -0700
Message-ID: <87mxrci4e2.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Jonathan Reams <jr3074@columbia.edu> writes:
> We're re-keying our principals during our migration to krb5-1.8.3 to
> take advantage of newer encryption types, and to reduce visibility to
> the end user, we're using the keepold flag when updating service
> principals. The problem is that there doesn't appear to be away to prune
> out the old keys after they expire (the time the password change
> occurred plus the maximum renewable lifetime of the principal).
Yup, that's correct.
> Is there a mechanism for pruning old keys in the same way that kdb5_util
> lets you purge old master keys that are no longer being used?
Unfortunately, no. You have to do something ugly like dump the database,
edit the dump, and reload the database.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
