On 08/03/2011 07:44 AM, Simo Sorce wrote:
>> I have some questions regarding IPA:
>> >      1. On the IPA client side, which daemon is looking after machine
>> >         Kerberos host/ principal renewal?
> Keytabs are random secrets and do not need to expire as cracking them is
> consider a problem out of current computational reach unlike users
> passwords which use a much smaller set of values and is less randomic in
> nature.
>
There is none at the moment however it is generally a good practice to
rotate even secure keys like keytabs from time to time.
One of the ideas I have for that is to allow certmonger to bind with
mutual SSL auth or using current keytab and request a new keytab instead
of the old one.
But this has not been even filed as an enhancement as no one cared about
such functionality until now.

What is your use case for this functionality?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to