Automatic keytab creation

Ross Smith rjsm at
Tue Oct 23 00:56:21 EDT 2012

We here require the person reloading a machine to be authorized to reload
it.  That means that we can ask for a principal and password to get
started.  From there we have an internally developed system that we are
working to replace with wallet to handle our keytab creation for new hosts
and hosts that have changed names.

One other option we have looked at (and eventually are going to implement)
is giving hosts that are set to be reloaded a keytab that is authorized to
reload any host.  This does pose some security concerns if other parts of
your environment aren't under some sort of acl control.

Ross Smith <rjsm at>
College of Engineering - CAEN - Unix and Linux Support

On Mon, Oct 22, 2012 at 8:51 PM, Jaap Winius <jwinius at> wrote:

> On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote:
> > remctl doesn't, as yet, have support for anonymous PKINIT, although it's
> > something that I want to add.
> Then perhaps remctl is currently not part of a solution to this problem.
> Is there any way at all to automatically create a keytab on a newly
> installed host?
> Thanks,
> Jaap
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list