Creating GSSAPI initiate credential using keytab entry--how should this work

Greg Hudson ghudson at MIT.EDU
Wed Mar 10 14:04:04 EST 2010

On Wed, 2010-03-10 at 12:36 -0500, Sam Hartman wrote:
> Would it be a good idea to wrap all this logic into
> gss_acquire_credential so that if you have a keytab you can just use it
> as an initiator?
> I.E. would that be a good improvement for the future?

Possibly.  Or we could do the credentials-cache-backed-by-a-keytab idea.

I think it requires at least some thought, though.  Currently our GSSAPI
library only does TGS requests, not AS requests.  If it start doing AS
requests, then it becomes a consumer of the gic_opt framework and the
preauth framework, and there are some (probably manageable) implications

More information about the krbdev mailing list