PCI compliance requires the system to have a way to rotate any keys, this includes Kerberos master key. Currently the procedure is very hard and manual. It should be well documented and some tools might be needed to make is easier.
Slightly request in SSSD: https://fedorahosted.org/sssd/ticket/1041 ([RFE] Support Automatic Renewing of Kerberos Host Keytabs). But this is for the keytabs, master key is a whole different story.
notes from triage:
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1286226 (Red Hat Enterprise Linux 7)
Moving back, it is still considered for 4.4.
Metadata Update from @dpal:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)
to comment on this ticket.