[OpenAFS] Server encryption keys

Russ Allbery rra@stanford.edu
Fri, 16 Mar 2007 15:11:20 -0700


Robert Banz <banz@umbc.edu> writes:

>> What is required is functionality in the KDC that says "generate a new
>> key for service X but don't use it yet".
>> 
>> Then you could distribute the key to your servers and after they were
>> all updated, you could activate the use of the new key.

> That functionality could be simulated with a <blah> script generating a
> sufficiently large random string to use as the "password".

The problem is that immediately upon changing the AFS principal key in the
KDC, the KDC starts handing out service tickets using the new key.  Those
service tickets then become tokens, but those tokens will be rejected by
any AFS server that doesn't have the new key in its KeyFile.  So currently
it's not possible to change the key without creating some transitional
issues around the point of key change.

Jeff is talking about additional functionality that several of us would
like to add to the Kerberos KDC that lets you create a new key (and hence
a keytab and hence pre-populate the KeyFile) without having the KDC
immediately start using it for service tickets.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>