Integration of k5start/krenew functionality
ghudson at MIT.EDU
Sat Aug 1 15:44:18 EDT 2009
On Fri, 2009-07-31 at 22:24 -0400, Ken Raeburn wrote:
> I've wondered before if some of this functionality should be pulled
> into the library or existing programs. For example, various means
> could be used to express to the library, "if credentials have expired
> or are about to, use this keytab entry to renew them automatically",
> or "after successful TGT acquisition, call this function".
I thought about this as well. There's a certain elegance in having a
credentials cache which is actually a cache, backed by a key in a keytab
which can be used for AS requests, but I think the full design would run
into some uncomfortable questions which are better answered outside of
libkrb5. For instance, when the caller asks for a service ticket, how
long should the TGT have left in it for us to use the existing TGT
instead of requesting a new one? When doing an AS request, what
parameters do we use, and do we want to use FAST or PKINIT or any other
> I'm also of two minds as to how much Kerberos programs should be going
> out of their way to do AFS things, rather than providing hooks and
> letting someone choose to run AFS programs.
I don't really like the idea of adding setpag calls into kinit. I think
we have an AFS dependency in login.krb5, but that will get better with
the unbundling of krb5-appl.
So I'm leaning towards keeping the external command hook (the
aklog-shaped hole) and make people use pagsh for the PAG if necessary.
That's probably a good reason not to use the names k5start and krenew.
More information about the krbdev