KDC Rekeying

Notes on KDC rekeying, as discussed in inf-unit meeting 25/10/07

These are the steps required to move from single-des keys to aes (from notes I took at the meeting, but with new added questions, mainly to do with different attributes in kdc.conf/krb5.conf and which of these, or both, are used on KDC)...

  • Remove both default_tkt_enctypes and default_tgs_enctypes from krb5.conf everywhere.
  • On KDC only, add AES, and other new encryption algorithms to both supported_enctypes and kdc_supported_enctypes. There is a complete list of supported encryption types in the Admin manual MIT supply with each Kerberos release.
  • Take des out of supported_enctypes on the KDC. Don't remove des from kdc_supported_enctypes - kerberos component should be checked so that it doesn't use same resource for supported and kdc_supported attributes.
  • Rekey the TGT, using the --keepold option, to add the new encryption types. Services will be rekeyed as they upgrade, users as they change their passwords.
Flag day...
  • TGT - remove the old TGT from the database. This is scary, as you either have to hand edit the database, or you have to rekey and not --keepold, which breaks all of the clients.

Most vital is that throughout this all, it must be possible for DES keys to still be issued, as the afs service key must remain a single DES key. This means making sure that whilst the KDC defaults to created DES keys, it is still prepared to issue and handle them.

-- TobyBlake - 25 Oct 2007

Topic revision: r3 - 31 Oct 2007 - 16:15:00 - TobyBlake
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies