Subject: | race in normal service key rotation. |
There's also a race in normal service key rotation. Observed by
thinking about the code. This is less severe than: 5338 (which I just
filed) but still should be fixed.
When you use ktadd via kadmin:
1. the interface provides a WO interface to the Kerberos DB,
2. the KDC updates its database to have the new key,
3. the KDC tells you what the new key is,
4. you install the new key in your keytab.
If a client beats you between steps 2 and 4 then it will have a fatal
error (for any reason, including network lossage, kadmin client crash, etc.)
The solution to this is to write your own key rotation program which
sets the password over kadmin AFTER you update your keytab.
thinking about the code. This is less severe than: 5338 (which I just
filed) but still should be fixed.
When you use ktadd via kadmin:
1. the interface provides a WO interface to the Kerberos DB,
2. the KDC updates its database to have the new key,
3. the KDC tells you what the new key is,
4. you install the new key in your keytab.
If a client beats you between steps 2 and 4 then it will have a fatal
error (for any reason, including network lossage, kadmin client crash, etc.)
The solution to this is to write your own key rotation program which
sets the password over kadmin AFTER you update your keytab.