Hi Vishal,
> I think there is some issue with keytab file , I see multiple kvno in
> keytab i.e 74 & 75. Is it practical?We have 1.7 release.
This is not uncommon; these are key version numbers. They help to distinguish
various keys assigned to a particular principal. RFC 4120 says
Key Version Number (kvno)
A tag associated with encrypted data identifies which key was used
for encryption when a long-lived key associated with a principal
changes over time. It is used during the transition to a new key
so that the party decrypting a message can tell whether the data
was encrypted with the old or the new key.
It is used in the generic type "EncryptedData" that captures most (if not all)
signed / encrypted portions of data in Kerberos:
EncryptedData ::= SEQUENCE {
etype [0] Int32 -- EncryptionType --,
kvno [1] UInt32 OPTIONAL,
cipher [2] OCTET STRING -- ciphertext
}
You will often see the etype/kvno pair, I think these two and the PrincipalName
and Realm are used to identify a key. And that's exactly why it's in your
keytab.
So, when you change your keys, you will see a new kvno while the rest of the
key parts remain the same. Your keytab can store them at the same time to be
able to service older and newer keyed requests. You are free to remove old
keys if you are certain they should not be used anymore.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
