Keytab-based initiator creds design
Sam Hartman
hartmans at MIT.EDU
Sat Jun 2 10:05:03 EDT 2012
I'm not very comfortable with the first-key in a keytab rule. I
understand Russ's experience, but I suspect most of Stanford's
experience is in situations where Kerberos authentication is desired.
By picking the first key in a keytab especially for system services
you'll make it much more likely that Kerberos will be tried/used in
situations where it is not today.
I think you want to be careful about making it too easy for this code to
trigger automatically.
Like Russ, I believe storing in the default ccache is problematic and
believe that having a robust renewal strategy is important.
More information about the krbdev
mailing list