Hi folks,
I want to upload a corefile of a crashed named process that likely has
the keys for DNS/$HOSTNAME embedded within it.
I've run 'ipa-getkeytab -p DNS/$HOSTNAME -k /etc/named.keytab' to
generate new keys for the service & store them in the keytab file. The
previous keys are still present in the keytab file, so that the acceptor
can authenticate any clients using a service ticket issued before the
acceptor's keys were rotated, I believe?
Am I correct to say that once the service's keys been rotated AND that
change has been replicated to all servers AND all existing service
tickets for DNS/$HOSTNAME have expired, that the old keys are useless &
safe to disclose?
Regardless, removing the old tickets from the keytab file with ktutil is
quite fiddly. You have to 'rkt' the old keytab file, 'delent' on each
entry with an old kvno, then 'wkt' to a new file, then move the new file
over the old one & fix up the owner/group/mode/context. But I found that
'kadmin.local ktremove -k /etc/named.keytab DNS/$HOSTNAME old' automated
the process of removing the old keys from the keytab file in-place.
Maybe someoene else might find that info useful.
Thanks as always!
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
