Integration of k5start/krenew functionality

Douglas E. Engert deengert at
Wed Aug 5 09:53:45 EDT 2009

Jeffrey Hutzelman wrote:
> --On Tuesday, August 04, 2009 01:04:13 PM -0400 Sam Hartman 
> <hartmans at> wrote:
>> 5) Plugins are good.  AFS, Linux keyring management (establisg a session
>> keyring), etc all could use plugins.  Depending on things like pagsh is
>> administrator-hostile.
> What do you think of the argument that "complex" credential management, 
> such as automatically maintaining AFS credentials and setting up a new PAG, 
> keyring, SSH agent, etc. should be left entirely to external tools such as 
> kstart and not distributed with Kerberos at all?
> Do we want a situation where, for example, Kerberos and AFS are aware of 
> each other, and if you install both you get something more than the sum of 
> the pieces?  Or is the problem better solved by a separate tool which is 
> based on public interfaces exported by both?

Other examples of credentials could be included in this mix, including
Kx509 and NFSv4 use of tickets in the kernel.

Many of the issues have been addressed in login and screen unlock,
when credentials are renewed, and pam modules handle obtaining
additional credentials. Could pam be used from kinit much like screen unlock?

> -- Jeff
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list