On 08/03/2011 07:44 AM, Simo Sorce wrote: >> I have some questions regarding IPA: >> > 1. On the IPA client side, which daemon is looking after machine >> > Kerberos host/ principal renewal? > Keytabs are random secrets and do not need to expire as cracking them is > consider a problem out of current computational reach unlike users > passwords which use a much smaller set of values and is less randomic in > nature. > There is none at the moment however it is generally a good practice to rotate even secure keys like keytabs from time to time. One of the ideas I have for that is to allow certmonger to bind with mutual SSL auth or using current keytab and request a new keytab instead of the old one. But this has not been even filed as an enhancement as no one cared about such functionality until now.
What is your use case for this functionality? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
