Automatic keytab creation
Booker Bense
bbense at gmail.com
Tue Oct 23 14:19:56 EDT 2012
On Mon, Oct 22, 2012 at 5:51 PM, Jaap Winius <jwinius at umrk.nl> wrote:
> On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote:
>
>> remctl doesn't, as yet, have support for anonymous PKINIT, although it's
>> something that I want to add.
>
> Then perhaps remctl is currently not part of a solution to this problem.
> Is there any way at all to automatically create a keytab on a newly
> installed host?
>
Yes, but you have to leverage some kind of existing trust. (i.e. I
trust foo, so I'll use
foo to extend the trust to create a keytab. )
At SLAC we use a special ssh keypair to bootstrap the keytab
installation process.
I gave a talk about it a few years back.
http://workshop.openafs.org/afsbpw07/talks/bbense.pdf
Since each site is going to have different things that it "trusts", I
think this is a problem
that doesn't have a good general solution. To me it seems using some
kind of public
key is required, the trick is exactly how the public key gets deployed
to the client.
- Booker C. Bense
More information about the Kerberos
mailing list