On 08/04/2011 10:47 AM, Simo Sorce wrote:
> On Thu, 2011-08-04 at 10:43 -0400, Dmitri Pal wrote:
>> On 08/04/2011 10:28 AM, Simo Sorce wrote:
>>> On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote:
>>>> On 08/04/2011 03:52 AM, Ondrej Valousek wrote: 
>>>>> On 03.08.2011 23:52, Dmitri Pal wrote: 
>>>>>> But this has not been even filed as an enhancement as no one cared about
>>>>>> such functionality until now.
>>>>>> What is your use case for this functionality?
>>>>> Actually, I do not need such a functionality. I was asking because I
>>>>> know Windows rotate keytabs so I was expecting IPA might as well.
>>>>> I guess there is no big press for it now but I would say in general
>>>>> we should support it as well - for security reasons if not for
>>>>> anything else.
>>>> I created a BZ. I am not sure certmonger is the right component
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=728263
>>>> But at least it will be on the plate of the right person to make the
>>>> decision and propose alternative approaches. 
>>> SSSD is probably a more appropriate component for keytabs, given in the
>>> IPA case it is a primary user of the keytab for validation purposes.
>>> Simo.
>> Yes. May be it is SSSD. But may be the kerberos library should have a
>> way to rotate keytabs over the kerberos protocol?
> Yes it is called a password change technically :)
>> That would be even better as key rotation would then become a centrally
>> managed policy rather than triggered by a client.
> You cannot do it outside of a client, only the client has the original
> key to do (and be able to receive on a secure channel) the password
> change.

Yes but server can indicate in some attribute to the client that it is
time to start doing this and the client will do the change.

>> The BZ will help me not to forget to start a broader discussion on the
>> matter when time comes.
> Ok.
> Simo.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to