Natxo Asenjo via FreeIPA-users <>

> does anybody rotate host keytabs? Is it worth it security-wise?

Hi, krb5 maintainer here.  Keytab rotation is ugly.  I recommend not
doing it if you can avoid it largely because one of two things will

- All clients who have credentials against the old keytab will see
  messy, inexplicable authentication failures.

- If you try to get around that by keeping the old entry around in the
  keytab (i.e., multiple kvnos), you haven't actually accomplished

So there's a serious trade-off between any security benefit that might
accrue and the burden of cleaning up afterward.

Service keytabs (of which host keytabs are an instance) in freeIPA
aren't tied to a user-supplied password.  (Outside freeIPA, they usually
aren't either.)  Therefore, I don't see a vector in which rotating them
is helpful, unless you're worried about the strength of the underlying
cryptography (and if you're worried about AES-256, I'm not sure there's
much anyone can do to help).


Attachment: signature.asc
Description: PGP signature

FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to