[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

[Sergio Gelato]

* Juha J=E4ykk=E4 [2006-02-14 10:27:30 +0200]:
> > Keytabs are normally not supposed to be shared between multiple
> > machines, and this approach means that kadmind doesn't need to have the
> > capability of retrieving keys from the KDC, which is an additional
> > separation of capability and an additional level of security.
>=20
> Except that AFS requires a shared keytab. Nice. :-) What about
> (Heimdal's) ktutil, does it have the same "problem" as ktadd?=20

I'd have to check[*] about ktutil, but Heimdal's kadmin supports an
"extract" command which extracts an existing key from the KDC into
a keytab, without rekeying.

[*] Just checked the man page. "ktutil get" supposedly generates a new key.
So does "ktutil change", of course.

> And how
> would an AFS cell recover from the unfortunate human error of an admin
> doing the line in the subject? This sounds like a disaster waiting to
> happen, there must be an easy way out.

Distribute the new key to all the AFS servers. Wait a token lifetime
before removing the old one, so that existing tokens (hopefully) remain
valid.

It's not a bad idea to rekey one's services from time to time. It's just
temporarily disruptive if one doesn't go through the steps in the right ord=
er
(which for AFS would be to distribute the new key to the AFS servers
*before* the KDC starts issuing tickets with it).