Natxo Asenjo via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
does anybody rotate host keytabs? Is it worth it security-wise?
Hi, krb5 maintainer here. Keytab rotation is ugly. I recommend not doing it if you can avoid it largely because one of two things will happen:
- All clients who have credentials against the old keytab will see messy, inexplicable authentication failures.
- If you try to get around that by keeping the old entry around in the keytab (i.e., multiple kvnos), you haven't actually accomplished anything.
So there's a serious trade-off between any security benefit that might accrue and the burden of cleaning up afterward.
Service keytabs (of which host keytabs are an instance) in freeIPA aren't tied to a user-supplied password. (Outside freeIPA, they usually aren't either.) Therefore, I don't see a vector in which rotating them is helpful, unless you're worried about the strength of the underlying cryptography (and if you're worried about AES-256, I'm not sure there's much anyone can do to help).
Thanks, --Robbie