I can see only one possible advantage. If someone becomes root and steals your keytab, regular rotation will limit how long the compromise lasts. Of course that assumes that you fix the problem that allowed them to become root in the first place.
You could add the new credential, keeping old and new, and then wait long enough before removing the old one that no one would still be using it. I haven’t tried that though.
On May 17, 2018, at 7:48 PM, Robbie Harwood via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Natxo Asenjo via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
does anybody rotate host keytabs? Is it worth it security-wise?
Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen:
- All clients who have credentials against the old keytab will see
messy, inexplicable authentication failures.
- If you try to get around that by keeping the old entry around in the
keytab (i.e., multiple kvnos), you haven't actually accomplished anything.
So there's a serious trade-off between any security benefit that might accrue and the burden of cleaning up afterward.
Service keytabs (of which host keytabs are an instance) in freeIPA aren't tied to a user-supplied password. (Outside freeIPA, they usually aren't either.) Therefore, I don't see a vector in which rotating them is helpful, unless you're worried about the strength of the underlying cryptography (and if you're worried about AES-256, I'm not sure there's much anyone can do to help).
Thanks, --Robbie _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...