interested in discussing some Kerberos improvements
Geoffrey Thorpe
geoff at geoffthorpe.net
Mon Mar 30 17:57:33 EDT 2026
On 3/30/26 5:47 PM, Nico Williams wrote:
> On Mon, Mar 30, 2026 at 05:41:23PM -0400, Geoffrey Thorpe wrote:
>> Yeah I didn't mean stateless in the way you're interpreting it, I get what
>> you mean. It's only "stateless" in the sense that the typical orchestration
>> problem of managing a KDC, i.e. registering and deregistering client and
>> service principals in the KDC database, is avoidable. [...]
>
> I would call this read-only KDCs, or mostly-read-only KDCs.
That's the idea. When I wrote "stateless" it was with respect to the
database state, not protocol state. And even then, there's some hand
waving implied.
>> Perhaps I didn't express it well. The feature I'm relying on is _not_ that
>> kinit refreshes the x509v3 cred itself, but that it re-reads the cert and
>> key periodically from the FS rather than reading only once at startup. I.e.
>
> FS?
file system
>> the assumption is that the pkinit cert+key is going to be refreshed "by
>> other means" (in my case via HCP attestation, in other cases it'll be
>> whatever PKI tooling keeps creds up to date), so what I'm relying on is that
>> the kinit instance will consume those updates to the cred over time (from
>> the FS), without requiring a restart.
>> The heimdal "kinit -C" does seem to do this.
>
> Are you referring to the mode of kinit where it runs a command and keeps
> it supplied with fresh tickets? MIT Kerberos' kinit does not have that
> mode.
Yes that's what I'm referring to. If it's not yet supported by the MIT
kinit, I would certainly recommend that it be added, it's very helpful.
Cheers,
Geoff
More information about the Kerberos
mailing list