Optionally prune old keys when setting new keys.
When new keys are added (typically via kadm5_setkey_principal_3), truncate the key history to remove old keys, that is keys older than the newest key which was in effect prior longer ago than the principal's maximum ticket lifetime. This feature is controlled via the "[kadmin]" section's "prune-key-history" boolean parameter, which defaults to false. Currently this happens only when kadm5_setkey_principal_3() is called directly on the server, the client API simulates kadm5_setkey_principal_3() via a get, update, modify sequence that does not prune the key history. The plan is to add a new kadm5 protocol RPC and convert clients to call that instead. In setkey_principal_3 seal keys after entry key update Also, for now, don't check the return value of kadm5_log_modify() in the new kadm5_s_setkey_principal_3(). This has to be addressed more globally. Censor stale keys in kadm5_s_get_principal
This commit is contained in:
Viktor Dukhovni
committed by
Viktor Dukhovni
Viktor Dukhovni
parent
047daa077a
commit
579393c8b9
@@ -54,6 +54,7 @@ HEIMDAL_HDB_1.0 {
|
||||
hdb_principal2key;
|
||||
hdb_print_entry;
|
||||
hdb_process_master_key;
|
||||
hdb_prune_keys;
|
||||
hdb_read_master_key;
|
||||
hdb_replace_extension;
|
||||
hdb_seal_key;
|
||||
|
||||
Reference in New Issue
Block a user