Creating GSSAPI initiate credential using keytab entry--how should this work

Simo Sorce ssorce at
Wed Mar 10 14:46:31 EST 2010

On Wed, 10 Mar 2010 11:36:09 -0800
Russ Allbery <rra at> wrote:

> Nicolas Williams <Nicolas.Williams at> writes:
> > The main issue is: how to find the correct keytab.  Using an
> > environment variable will do, but I'd rather have well-known
> > locations for user keytabs, such as:
> >     /var/run/krb5/keytabs/<user>/keytab
> >     /var/krb5/keytabs/<user>/keytab
> > The /var/run paths would be nice for system-managed temporary
> > keytabs (think of a PAM module stashing away your keys for
> > subsequent use; I'm not promoting this, but I'd like it to be
> > possible).  The /var/krb5 paths would be nice for persistent user
> > keytabs.
> I suspect the second path will vary widely between systems.  For
> instance, Linux systems following the File Hierarchy Standard would
> not be permitted to use /var/krb5, and I think the most reasonable
> interpretation of the FHS would be that persistent keytabs are
> configuration files and therefore must be in /etc.

/var/lib/krb5 would probably be ok.

I am not so positive keytabs are configuration files though.
They are more like data if you ask me, you could say they are


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list