I can see only one possible advantage. If someone becomes root and steals your keytab,
regular rotation will limit how long the compromise lasts. Of course that assumes that you
fix the problem that allowed them to become root in the first place.
You could add the new credential, keeping old and new, and then wait long enough before
removing the old one that no one would still be using it. I haven’t tried that though.
On May 17, 2018, at 7:48 PM, Robbie Harwood via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Natxo Asenjo via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
> does anybody rotate host keytabs? Is it worth it security-wise?
Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not
doing it if you can avoid it largely because one of two things will
happen:
- All clients who have credentials against the old keytab will see
messy, inexplicable authentication failures.
- If you try to get around that by keeping the old entry around in the
keytab (i.e., multiple kvnos), you haven't actually accomplished
anything.
So there's a serious trade-off between any security benefit that might
accrue and the burden of cleaning up afterward.
Service keytabs (of which host keytabs are an instance) in freeIPA
aren't tied to a user-supplied password. (Outside freeIPA, they usually
aren't either.) Therefore, I don't see a vector in which rotating them
is helpful, unless you're worried about the strength of the underlying
cryptography (and if you're worried about AES-256, I'm not sure there's
much anyone can do to help).
Thanks,
--Robbie
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...