krb5-1.12.1 and client keytab file

Greg Hudson ghudson at MIT.EDU
Fri May 30 14:08:20 EDT 2014

On 05/30/2014 01:38 PM, squidmobile at wrote:
> the bad news is that it did not always work quite as expected.

All of the behaviors you describe are intended, but they could probably
be documented better.

>     app-with-gssapi-calls
> this worked extemely well.  no clashes occured with any other tgt,
> with either the FILE:... or DIR:... syntax. 

You might want to give the memory ccache a name (MEMORY:mycache),
although I guess the empty name works too.

> however, i believe
> some dialects of unix make all of memory available via things like
> /dev/kmem or /proc/core, which could pose security issues...

Not a concern.  Your process's memory is at least as secure as the files
it reads from.

> one other thought:  what happens to app-with-gssapi-calls if it
> runs past the time limit for the tgt obtained by this mechanism?

The KRB5_CLIENT_KTNAME mechanism will renew the TGT when it is halfway
to expired.  So if you get ten-hour tickets by default, the resulting
connection should be valid for at least five hours, if the application
even checks.

More information about the Kerberos mailing list