| Subject: | new multi-masterkey support doesn't work well when system clock is set back |
If the system clock on a KDC is set back in time after a mkey is
activated "now" or if the admin sets the active time for all existing
mkeys in the future it is possible that the code will not find any mkey
active. This is a problem as there should always be one "active" mkey
used to protect principal keys. I'd like to address this by making
several changes including:
- Modify krb5_dbe_find_act_mkey() to return the mkey with the lowest
KVNO if there are no actkvno entries with a time equal or earlier than
the current time.
- Modify krb5_dbe_fetch_act_key_list() to return a default actkvno entry
with time == 0 if there is not actkvno TL data in the mkey princ
entry. Currently its setting time to the current time but again if
the clock is set back this could cause problems.
- Remove the code in use_mkey that auto-trims the actkvno list. I
don't think this is really necessary since the actkvno list will be
edited when the purge_mkeys command is run.
activated "now" or if the admin sets the active time for all existing
mkeys in the future it is possible that the code will not find any mkey
active. This is a problem as there should always be one "active" mkey
used to protect principal keys. I'd like to address this by making
several changes including:
- Modify krb5_dbe_find_act_mkey() to return the mkey with the lowest
KVNO if there are no actkvno entries with a time equal or earlier than
the current time.
- Modify krb5_dbe_fetch_act_key_list() to return a default actkvno entry
with time == 0 if there is not actkvno TL data in the mkey princ
entry. Currently its setting time to the current time but again if
the clock is set back this could cause problems.
- Remove the code in use_mkey that auto-trims the actkvno list. I
don't think this is really necessary since the actkvno list will be
edited when the purge_mkeys command is run.