I would say you decide it by either adding key 4 to the keytab and have for a period two keys in the keytab for just the case you described (no interuption of service) or you replace key 3 with key 4. In that case a client with key 3 can't connect. Personally I would use the first option and probably half the validity time of each key.
Markus "Srinivas Cheruku" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi All, > > I understand that we need to change Kerberos keys at regular intervals, > since it is not recommended to use the same keys for a long amount of > time. > When we change keys the kvno is incremented and the old keys are also > stored in the Kerberos user repository. > Can anyone give me a scenario where these old keys are used? > > Also, I want a better understanding of kvno and keys usage in the below > scenario. > > I have a key extracted in my key table file on the server say with kvno 3. > The client has got a service ticket with kvno 3. Then, i will change the > key and extract the key into the key table file, which will be with kvno > 4. Now, i will be having two keys with kvno 3 and kvno 4 in the key table > file on the server. > > Since, the client had already got the service ticket with kvno 3, and the > latest key in key table file is with kvno 4, what should happen if he > tries to access the service? > Should the service ticket with kvno 3 be accepted by the server? > Or it should give an error, since the latest key in the key table file is > with kvno 4? > > I would very much appreciate if you can let me know what should happen in > this case. > > Thanks and Regards, > Srini > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
