Charles Hedrick <hedrick(a)cs.rutgers.edu> writes:
I can see only one possible advantage. If someone becomes root and
steals your keytab, regular rotation will limit how long the
compromise lasts. Of course that assumes that you fix the problem that
allowed them to become root in the first place.
And that they don't give themselves persistence on the system once they
have root. Persistence is almost impossible to detect when one is
actively looking for it - I would at the very least reinstall the entire
OS from scratch on any compromised machine. Depending on threat model,
it's worth considering an entirely new machine for baremetal compromise.
You could add the new credential, keeping old and new, and then wait
long enough before removing the old one that no one would still be
using it. I haven’t tried that though.
It's still a bit tricky because you have to prune the keytab, but yes,
it can be done. But again, I don't see a use case.