On Thu, 2011-08-04 at 10:43 -0400, Dmitri Pal wrote: > On 08/04/2011 10:28 AM, Simo Sorce wrote: > > On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: > >> On 08/04/2011 03:52 AM, Ondrej Valousek wrote: > >>> On 03.08.2011 23:52, Dmitri Pal wrote: > >>>> But this has not been even filed as an enhancement as no one cared about > >>>> such functionality until now. > >>>> > >>>> What is your use case for this functionality? > >>> Actually, I do not need such a functionality. I was asking because I > >>> know Windows rotate keytabs so I was expecting IPA might as well. > >>> I guess there is no big press for it now but I would say in general > >>> we should support it as well - for security reasons if not for > >>> anything else. > >>> > >> I created a BZ. I am not sure certmonger is the right component > >> https://bugzilla.redhat.com/show_bug.cgi?id=728263 > >> But at least it will be on the plate of the right person to make the > >> decision and propose alternative approaches. > > SSSD is probably a more appropriate component for keytabs, given in the > > IPA case it is a primary user of the keytab for validation purposes. > > > > Simo. > > > Yes. May be it is SSSD. But may be the kerberos library should have a > way to rotate keytabs over the kerberos protocol?
Yes it is called a password change technically :) > That would be even better as key rotation would then become a centrally > managed policy rather than triggered by a client. You cannot do it outside of a client, only the client has the original key to do (and be able to receive on a secure channel) the password change. > The BZ will help me not to forget to start a broader discussion on the > matter when time comes. Ok. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
