Creating GSSAPI initiate credential using keytab entry--how should this work

Russ Allbery rra at
Wed Mar 10 15:06:40 EST 2010

Nicolas Williams <Nicolas.Williams at> writes:

> But we're talking about _user_ content, not system content.

Ah, I see, you said persistent user keytabs and I missed the user (or,
rather, interpreted it to mean application users used for privilege
separation by the system administrator, not regular login users).

> Such contents is best placed in $HOME, but then you get into a catch-22
> if you need [fresh] credentials to access $HOME, and, of course, you'd
> want to encrypt such credentials in case they are not confidentiality-
> protected on the wire.  It's easier to use local storage, and /var seems
> right for that.  Personally, I'd disallow persistent user keytabs and go
> with /var/run only as a matter of _policy_, but I think the system
> should support persistent user keytabs as well.

I agree that the waters are muddier if one is talking about general shell
users creating keytabs for their personal use.  I would still create
per-user directories in /etc for this, personally, but I think the FHS
would accept either answer.

Russ Allbery (rra at             <>

More information about the krbdev mailing list