Integration of k5start/krenew functionality

Sam Hartman hartmans at MIT.EDU
Wed Aug 5 08:49:41 EDT 2009

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at> writes:

8    Jeffrey> --On Tuesday, August 04, 2009 01:04:13 PM -0400 Sam
    Jeffrey> Hartman
    Jeffrey> <hartmans at> wrote:

>8 5) Plugins are good.  AFS, Linux keyring management (establisg a session
    >> keyring), etc all could use plugins.  Depending on things like
    >> pagsh is administrator-hostile.

    Jeffrey> What do you think of the argument that "complex"
    Jeffrey> credential management, such as automatically maintaining
    Jeffrey> AFS credentials and setting up a new PAG, keyring, SSH
    Jeffrey> agent, etc. should be left entirely to external tools
    Jeffrey> such as kstart and not distributed with Kerberos at all?

I mostly don't buy it.  In its white papers, the consortium has taken
the position that Kerberos is part of fairly complex interdependent
systems basically in all the environments that use Kerberos.

I don't think the simple use cases are interesting to anyone

I can think of a couple of specific exceptions.  For example
maintaining credentials for the system account.  If one of those use
cases happens to be the real motivating use case for this work, then
sticking very closely to that use case seems good.

This project runs the real danger of creating a partial solution that
no one really wants that is strictly less useful than k5start.
Whatever can be done to avoid that is good, and if possible locking in
on a specific enough use case would be an example of such a way out.


More information about the krbdev mailing list