Creating GSSAPI initiate credential using keytab entry--how should this work

Russ Allbery rra at
Wed Mar 10 14:36:09 EST 2010

Nicolas Williams <Nicolas.Williams at> writes:

> The main issue is: how to find the correct keytab.  Using an environment
> variable will do, but I'd rather have well-known locations for user
> keytabs, such as:

>     /var/run/krb5/keytabs/<user>/keytab
>     /var/krb5/keytabs/<user>/keytab

> The /var/run paths would be nice for system-managed temporary keytabs
> (think of a PAM module stashing away your keys for subsequent use; I'm
> not promoting this, but I'd like it to be possible).  The /var/krb5
> paths would be nice for persistent user keytabs.

I suspect the second path will vary widely between systems.  For instance,
Linux systems following the File Hierarchy Standard would not be permitted
to use /var/krb5, and I think the most reasonable interpretation of the
FHS would be that persistent keytabs are configuration files and therefore
must be in /etc.

Russ Allbery (rra at             <>

More information about the krbdev mailing list