sure. We’re not actually doing this.
On Jun 22, 2018, at 11:38 AM, Robbie Harwood
<rharwood(a)redhat.com> wrote:
Charles Hedrick <hedrick(a)cs.rutgers.edu> writes:
> I can see only one possible advantage. If someone becomes root and
> steals your keytab, regular rotation will limit how long the
> compromise lasts. Of course that assumes that you fix the problem that
> allowed them to become root in the first place.
And that they don't give themselves persistence on the system once they
have root. Persistence is almost impossible to detect when one is
actively looking for it - I would at the very least reinstall the entire
OS from scratch on any compromised machine. Depending on threat model,
it's worth considering an entirely new machine for baremetal compromise.
> You could add the new credential, keeping old and new, and then wait
> long enough before removing the old one that no one would still be
> using it. I haven’t tried that though.
It's still a bit tricky because you have to prune the keytab, but yes,
it can be done. But again, I don't see a use case.
Thanks,
--Robbie