interested in discussing some Kerberos improvements
Russ Allbery
eagle at eyrie.org
Thu Apr 2 22:06:37 EDT 2026
Geoffrey Thorpe <geoff at geoffthorpe.net> writes:
> As I understand it, k5start will invoke kinit periodically to handle
> credential refresh, and so if kinit is configured to use pkinit to get
> creds, then it would pick up the cert and key from the file system each
> time kinit is invoked (rather than them being read only once when
> k5start is first run). Is that correct? If so, that's once less feature
> to worry about. :-)
k5start itself does not run kinit. It uses the Kerberos library calls
directly. I am dubious that it would work with PKINIT from a file without
some code changes. (Although also I'm not sure I understand the security
model of using a PKINIT cert on disk and not a keytab.)
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list