Machine authentication

Greg Hudson ghudson at MIT.EDU
Sat Aug 9 00:41:07 EDT 2014


On 08/08/2014 03:37 AM, jarek wrote:
> 	Is it possible to receive ticket for host principal and use this ticket
> for authentication ?

Yes.  Normally this is done using a keytab, in one of three ways:

* krb5_get_init_creds_keytab from the application code.

* kinit -k from the command line.  (This will only work until the
resulting tickets expire.)

* Client keytab initiation (new in MIT krb5 1.11).  Set the environment
variable KRB5_CLIENT_KTNAME to FILE:/path/to/keytab, and set KRB5CCNAME
to FILE:/some/path/writable/by/daemon/process.  Don't create the ccache.
 The GSS application will create it automatically using the keytab, and
will refresh it when needed.


More information about the Kerberos mailing list