Integration of k5start/krenew functionality

Greg Hudson ghudson at MIT.EDU
Sat Aug 1 15:44:18 EDT 2009

On Fri, 2009-07-31 at 22:24 -0400, Ken Raeburn wrote:
> I've wondered before if some of this functionality should be pulled  
> into the library or existing programs.  For example, various means  
> could be used to express to the library, "if credentials have expired  
> or are about to, use this keytab entry to renew them automatically",  
> or "after successful TGT acquisition, call this function".

I thought about this as well.  There's a certain elegance in having a
credentials cache which is actually a cache, backed by a key in a keytab
which can be used for AS requests, but I think the full design would run
into some uncomfortable questions which are better answered outside of
libkrb5.  For instance, when the caller asks for a service ticket, how
long should the TGT have left in it for us to use the existing TGT
instead of requesting a new one?  When doing an AS request, what
parameters do we use, and do we want to use FAST or PKINIT or any other

> I'm also of two minds as to how much Kerberos programs should be going  
> out of their way to do AFS things, rather than providing hooks and  
> letting someone choose to run AFS programs.

I don't really like the idea of adding setpag calls into kinit.  I think
we have an AFS dependency in login.krb5, but that will get better with
the unbundling of krb5-appl.

So I'm leaning towards keeping the external command hook (the
aklog-shaped hole) and make people use pagsh for the PAG if necessary.
That's probably a good reason not to use the names k5start and krenew.

More information about the krbdev mailing list