On 10/31/23 21:16, Dan Mahoney (Gushi) wrote:
We've recently gone through all the hard work of switching off 3des on our kdcs and rolling all the things, but one of the things we note is that some of our users still have the keys with the old enctypes present. Is there a way to delete just those deprecated keys, without forcing a password change?
I don't believe we have that feature currently; the closest we have is the kadmin purgekeys command, but that command (and its associated libkadm5 RPC) only removes whole key versions.
It would be possible to write a C program using libkdb5 to crawl the database and remove the desired keys; I can't think of any simpler approach. I believe common practice is just to force password changes, or wait until password maximum lifetimes force changes over time.
If you're at the point of not relying on any des3-cbc-sha1 keys, you can set a permitted_enctypes in [libdefaults] on the KDC that does not include it (a value of "DEFAULT -des3" should work). Then the KDC will ignore those keys while continuing to allow the other ones to be used.
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
