On 08/04/2011 10:47 AM, Simo Sorce wrote:
> On Thu, 2011-08-04 at 10:43 -0400, Dmitri Pal wrote:
>> On 08/04/2011 10:28 AM, Simo Sorce wrote:
>>> On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote:
>>>> On 08/04/2011 03:52 AM, Ondrej Valousek wrote:
>>>>> On 03.08.2011 23:52, Dmitri Pal wrote:
>>>>>> But this has not been even filed as an enhancement as no one cared about
>>>>>> such functionality until now.
>>>>>> What is your use case for this functionality?
>>>>> Actually, I do not need such a functionality. I was asking because I
>>>>> know Windows rotate keytabs so I was expecting IPA might as well.
>>>>> I guess there is no big press for it now but I would say in general
>>>>> we should support it as well - for security reasons if not for
>>>>> anything else.
>>>> I created a BZ. I am not sure certmonger is the right component
>>>> But at least it will be on the plate of the right person to make the
>>>> decision and propose alternative approaches.
>>> SSSD is probably a more appropriate component for keytabs, given in the
>>> IPA case it is a primary user of the keytab for validation purposes.
>> Yes. May be it is SSSD. But may be the kerberos library should have a
>> way to rotate keytabs over the kerberos protocol?
> Yes it is called a password change technically :)
>> That would be even better as key rotation would then become a centrally
>> managed policy rather than triggered by a client.
> You cannot do it outside of a client, only the client has the original
> key to do (and be able to receive on a secure channel) the password
Yes but server can indicate in some attribute to the client that it is
time to start doing this and the client will do the change.
>> The BZ will help me not to forget to start a broader discussion on the
>> matter when time comes.
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list