[OpenAFS-devel] Re: rxkad.keytab rotation

[Jeffrey Hutzelman]

On Tue, 2013-10-22 at 15:01 -0500, Andrew Deason wrote:

> > D) When we're creating a new server connection we try the key with the
> > highest kvno in the keyfile for each server. If that key fails to
> > work, then we try the one with the next highest, and so on, until we
> > either succeed, or run out of keys. This does mean that an attacker
> > could force us to use an older key, but only for the period during
> > which the rollover is being performed.
> 
> But how do we know if something failed due to key-related problems?

Well, we're not really taking about "key-related problems"; we're
talking about the specific problem of the server not knowing the key
that was used to print the token.  In that case, the error will always
be RXKADUNKNOWNKEY.

-- Jeff