#4976 [RFE] Create a way (tools + procedure) to rotate Kerberos Master Key
Closed: wontfix a year ago by rcritten. Opened 4 years ago by dpal.

PCI compliance requires the system to have a way to rotate any keys, this includes Kerberos master key. Currently the procedure is very hard and manual. It should be well documented and some tools might be needed to make is easier.

Slightly request in SSSD: https://fedorahosted.org/sssd/ticket/1041 ([RFE] Support Automatic Renewing of Kerberos Host Keytabs). But this is for the keytabs, master key is a whole different story.

notes from triage:

  • MK: (Simo, ) how possible is it? Do we have any POC how it was done in the past?
    • not possible immediately, I have plans to move the kerberos master key back to be a real keytab and use custodia to transfer it. But we will also need to change the password plugin as it will not have access to the master password anymore.
      • not short term
  • MK: Aren't kerberos keys in LDAP encoded with this key, i.e. all would need to be re-keyed + there would ideally need to be keys encoded with 2 different master keys at the same time?
    • No, password rotation is explicitly supported by the KDC, it will re-encrypt keys from old master key to new in time (it means old and new key are available at the same time for a period). But care needs to be taken to identify when all uses of the older key have ceased and all remaining keys are encrypted in the new key. It is not mean to be used with fully automatic rotation, but we can think of some way of forcing that in a reasonable short period of time.

Moving back, it is still considered for 4.4.

Metadata Update from @dpal:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.