diff options
| author | Tom Yu <tlyu@mit.edu> | 2006-11-11 01:57:27 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2006-11-11 01:57:27 +0000 |
| commit | 439da0cc186e21b96f035163742134a0d87ba746 (patch) | |
| tree | 413908c92aeea9f01b8e5c6c639f43ee6655a21e | |
| parent | 1b184093b425dcea3084d76976d34a7519de1e62 (diff) | |
| download | krb5-439da0cc186e21b96f035163742134a0d87ba746.zip krb5-439da0cc186e21b96f035163742134a0d87ba746.tar.gz krb5-439da0cc186e21b96f035163742134a0d87ba746.tar.bz2 | |
pull up r18792 from trunk
r18792@cathode-dark-space: rra | 2006-11-09 17:58:02 -0500
ticket: new
Componet: krb5-doc
Version_Reported: 1.4.4
Target_Version: 1.6
Tags: pullup
Document how to change the krbtgt key for a realm.
ticket: 4692
version_fixed: 1.6
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@18798 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | doc/admin.texinfo | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 4a4a301..936b8da 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -1401,6 +1401,7 @@ authenticate to KADM5. * Policies:: * Global Operations on the Kerberos Database:: * Cross-realm Authentication:: +* Changing the krbtgt Key:: @end menu @node Kadmin Options, Date Format, Administrating the Kerberos Database, Administrating the Kerberos Database @@ -2428,7 +2429,7 @@ confirmation before destroying the database. This will have to wait until the next release. *sigh* @end ignore -@node Cross-realm Authentication, , Global Operations on the Kerberos Database, Administrating the Kerberos Database +@node Cross-realm Authentication, Changing the krbtgt Key, Global Operations on the Kerberos Database, Administrating the Kerberos Database @section Cross-realm Authentication In order for a KDC in one realm to authenticate Kerberos users in a @@ -2463,6 +2464,37 @@ It is also very important that these principals have good passwords. @value{COMPANY} recommends that TGT principal passwords be at least 26 characters of random ASCII text. +@node Changing the krbtgt Key, , Cross-realm Authentication, Administrating the Kerberos Database +@section Changing the krbtgt Key + +A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the +principal krbtgt/@i{REALM}. The key for this principal is created when +the Kerberos database is initialized and need not be changed. However, +it will only have the encryption types supported by the KDC at the time +of the initial database creation. To allow use of newer encryption +types for the TGT, this key has to be changed. + +Changing this key using the normal @code{kadmin change_password} command +would invalidate any previously issued TGTs. Therefore, when changing +this key, normally one should use the @b{-keepold} flag to +@code{change_password} to retain the previous key in the database as +well as the new key. For example: + +@smallexample +@group +@b{kadmin:} change_password -randkey -keepold krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM} +@end group +@end smallexample + +There is currently no way to remove the old key without running +@code{change_password} without the @b{-keepold} flag (and thereby +invalidating all existing TGTs). After issuing this command, the old +key is still valid and is still vulnerable to (for instance) brute force +attacks. To completely retire an old key or encryption type, it's +therefore currently necessary to declare a flag day, run +@code{change_password} without the @b{-keepold} flag, and force all +users to acquire new tickets. + @node Application Servers, Backups of Secure Hosts, Administrating the Kerberos Database, Top @chapter Application Servers |