On 08/04/2011 10:47 AM, Simo Sorce wrote: > On Thu, 2011-08-04 at 10:43 -0400, Dmitri Pal wrote: >> On 08/04/2011 10:28 AM, Simo Sorce wrote: >>> On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: >>>> On 08/04/2011 03:52 AM, Ondrej Valousek wrote: >>>>> On 03.08.2011 23:52, Dmitri Pal wrote: >>>>>> But this has not been even filed as an enhancement as no one cared about >>>>>> such functionality until now. >>>>>> >>>>>> What is your use case for this functionality? >>>>> Actually, I do not need such a functionality. I was asking because I >>>>> know Windows rotate keytabs so I was expecting IPA might as well. >>>>> I guess there is no big press for it now but I would say in general >>>>> we should support it as well - for security reasons if not for >>>>> anything else. >>>>> >>>> I created a BZ. I am not sure certmonger is the right component >>>> https://bugzilla.redhat.com/show_bug.cgi?id=728263 >>>> But at least it will be on the plate of the right person to make the >>>> decision and propose alternative approaches. >>> SSSD is probably a more appropriate component for keytabs, given in the >>> IPA case it is a primary user of the keytab for validation purposes. >>> >>> Simo. >>> >> Yes. May be it is SSSD. But may be the kerberos library should have a >> way to rotate keytabs over the kerberos protocol? > Yes it is called a password change technically :) > >> That would be even better as key rotation would then become a centrally >> managed policy rather than triggered by a client. > You cannot do it outside of a client, only the client has the original > key to do (and be able to receive on a secure channel) the password > change.
Yes but server can indicate in some attribute to the client that it is time to start doing this and the client will do the change. >> The BZ will help me not to forget to start a broader discussion on the >> matter when time comes. > Ok. > > Simo. > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
