Natxo Asenjo via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> does anybody rotate host keytabs? Is it worth it security-wise? Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen: - All clients who have credentials against the old keytab will see messy, inexplicable authentication failures. - If you try to get around that by keeping the old entry around in the keytab (i.e., multiple kvnos), you haven't actually accomplished anything. So there's a serious trade-off between any security benefit that might accrue and the burden of cleaning up afterward. Service keytabs (of which host keytabs are an instance) in freeIPA aren't tied to a user-supplied password. (Outside freeIPA, they usually aren't either.) Therefore, I don't see a vector in which rotating them is helpful, unless you're worried about the strength of the underlying cryptography (and if you're worried about AES-256, I'm not sure there's much anyone can do to help). Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ZWV6GD3XX47SFMM74SXC5XZLZLHZB2Q6/