Natxo Asenjo via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
does anybody rotate host keytabs? Is it worth it security-wise?
Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not
doing it if you can avoid it largely because one of two things will
happen:
- All clients who have credentials against the old keytab will see
messy, inexplicable authentication failures.
- If you try to get around that by keeping the old entry around in the
keytab (i.e., multiple kvnos), you haven't actually accomplished
anything.
So there's a serious trade-off between any security benefit that might
accrue and the burden of cleaning up afterward.
Service keytabs (of which host keytabs are an instance) in freeIPA
aren't tied to a user-supplied password. (Outside freeIPA, they usually
aren't either.) Therefore, I don't see a vector in which rotating them
is helpful, unless you're worried about the strength of the underlying
cryptography (and if you're worried about AES-256, I'm not sure there's
much anyone can do to help).
Thanks,
--Robbie