Creating GSSAPI initiate credential using keytab entry--how should this work

Nicolas Williams Nicolas.Williams at
Wed Mar 10 14:14:32 EST 2010

On Wed, Mar 10, 2010 at 02:04:04PM -0500, Greg Hudson wrote:
> On Wed, 2010-03-10 at 12:36 -0500, Sam Hartman wrote:
> > Would it be a good idea to wrap all this logic into
> > gss_acquire_credential so that if you have a keytab you can just use it
> > as an initiator?
> > I.E. would that be a good improvement for the future?
> Possibly.  Or we could do the credentials-cache-backed-by-a-keytab idea.

Solaris already does acquire a TGT using a keytab, but only when
getuid() == 0.  This could/should be generalized.

The main issue is: how to find the correct keytab.  Using an environment
variable will do, but I'd rather have well-known locations for user
keytabs, such as:


The /var/run paths would be nice for system-managed temporary keytabs
(think of a PAM module stashing away your keys for subsequent use; I'm
not promoting this, but I'd like it to be possible).  The /var/krb5
paths would be nice for persistent user keytabs.

> I think it requires at least some thought, though.  Currently our GSSAPI
> library only does TGS requests, not AS requests.  If it start doing AS
> requests, then it becomes a consumer of the gic_opt framework and the
> preauth framework, and there are some (probably manageable) implications
> there.

That's not been a problem for Solaris.


More information about the krbdev mailing list