|Date:||Thu, 25 Oct 2012 19:25:49 -0400|
|From:||Richard Basch <firstname.lastname@example.org>|
|Subject:||krb5-1.10.3: Updating krbtgt with kvno 0|
I was experimenting with a Kerberos database which was constructed in the early 1990s when the db_creation would create krbtgt with kvno = 0.
If you try to update the krbtgt, using “cpw –randkey –keepold krbtgt/XXX”, the old key cannot effectively be used by clients. *_search_enctypes and *_find_enctypes allow kvno to be passed in as a search criteria, but the default routine (in lib/kdb/kdb_default.c) will treat kvno=0 as a flag to return the latest kvno. Ironically, it also treats -1 the same way.
This problem with krbtgt key rotation only occurs when you have a krbtgt with kvno=0 (which again can happen if the database was created long ago but the key was never updated).
A quick fix is to change the KDC code to pass in kvno=-1 when searching for “latest key” and change the routine such that kvno=0 will return kvno 0 if found or latest key if not found (that way, the API is relatively cleanly preserved).
Fix calls from:
If you agree with the above approach, I will send in a patch… (though it is probably not difficult to re-implement with the above description of the framework).