Creating GSSAPI initiate credential using keytab entry--how should this work

Russ Allbery rra at
Wed Mar 10 15:01:40 EST 2010

Simo Sorce <ssorce at> writes:
> Russ Allbery <rra at> wrote:

>> I suspect the second path will vary widely between systems.  For
>> instance, Linux systems following the File Hierarchy Standard would not
>> be permitted to use /var/krb5, and I think the most reasonable
>> interpretation of the FHS would be that persistent keytabs are
>> configuration files and therefore must be in /etc.

> /var/lib/krb5 would probably be ok.

Yes, if you don't think keytabs are configuration files.

> I am not so positive keytabs are configuration files though.  They are
> more like data if you ask me, you could say they are micro-databases.

Authorization material has always been treated as a configuration file on
Linux systems, IMO.  Configured database passwords, usernames, and similar
sorts of legacy credentials are fairly uniformly in configuration files in
/etc.  Likewise for system X.509 certificates and, for Debian at least,
the PGP keys used to verify package downloads (and, for that matter,
/etc/shadow).  Most tellingly, the system keytab is always a configuration
file in /etc and has been for many years.

With my Debian Policy hat on, I'd object to a default location in /var for
persistent keytabs.  /etc/keytabs or (probably better) /etc/krb5/keytabs
would be my recommendation, with a legacy exception for /etc/krb5.keytab.

All that aside, though, I really like Nico's original point.  I think
having a default location and naming convention for keytabs would be very
useful and would solve a lot of annoying problems.

Russ Allbery (rra at             <>

More information about the krbdev mailing list