Automatic keytab creation

Booker Bense bbense at
Tue Oct 23 14:19:56 EDT 2012

On Mon, Oct 22, 2012 at 5:51 PM, Jaap Winius <jwinius at> wrote:
> On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote:
>> remctl doesn't, as yet, have support for anonymous PKINIT, although it's
>> something that I want to add.
> Then perhaps remctl is currently not part of a solution to this problem.
> Is there any way at all to automatically create a keytab on a newly
> installed host?

Yes, but you have to leverage some kind of existing trust. (i.e. I
trust foo, so I'll use
foo to extend the trust to create a keytab. )

At SLAC we use a special ssh keypair to bootstrap the keytab
installation process.
I gave a talk about it a few years back.

Since each site is going to have different things that it "trusts", I
think this is a problem
that doesn't have a good general solution. To me it seems using some
kind of public
key is required, the trick is exactly how the public key gets deployed
to the client.

- Booker C. Bense

More information about the Kerberos mailing list