[OpenAFS-devel] Re: rxkad.keytab rotation
Jeffrey Hutzelman
jhutz@cmu.edu
Tue, 22 Oct 2013 17:04:51 -0400
On Tue, 2013-10-22 at 15:01 -0500, Andrew Deason wrote:
> > D) When we're creating a new server connection we try the key with the
> > highest kvno in the keyfile for each server. If that key fails to
> > work, then we try the one with the next highest, and so on, until we
> > either succeed, or run out of keys. This does mean that an attacker
> > could force us to use an older key, but only for the period during
> > which the rollover is being performed.
>
> But how do we know if something failed due to key-related problems?
Well, we're not really taking about "key-related problems"; we're
talking about the specific problem of the server not knowing the key
that was used to print the token. In that case, the error will always
be RXKADUNKNOWNKEY.
-- Jeff