[16345] in Kerberos_V5_Development
Re: Removing old keys
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Sep 20 15:50:09 2010
From: Greg Hudson <ghudson@mit.edu>
To: Jonathan Reams <jr3074@columbia.edu>
In-Reply-To: <02BD6B97-CF3C-4693-BE07-D703B9DC3C05@columbia.edu>
Date: Mon, 20 Sep 2010 15:50:05 -0400
Message-ID: <1285012205.20521.8.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, 2010-09-20 at 15:31 -0400, Jonathan Reams wrote:
> We're re-keying our principals during our migration to krb5-1.8.3 to
> take advantage of newer encryption types, and to reduce visibility to
> the end user, we're using the keepold flag when updating service
> principals. The problem is that there doesn't appear to be away to
> prune out the old keys after they expire (the time the password change
> occurred plus the maximum renewable lifetime of the principal). Is
> there a mechanism for pruning old keys in the same way that kdb5_util
> lets you purge old master keys that are no longer being used?
To the best of my understanding, there is not, short of dumpfile
editing. This is a long-standing shortcoming in the kadmin system,
which we simply haven't gotten around to correcting.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
