Default client keytab name

ghudson@MIT.EDU ghudson at MIT.EDU
Sat Jul 21 10:29:40 EDT 2012

For the keytab initiation project, we created a new concept called the
default client keytab.  Currently, the hardcoded value (if there's no
$KRB5_CLIENT_KTNAME or default_client_keytab_name profile setting) is
/etc/krb5.client-keytab, which is just a placeholder.

Soon there will be support for parameterizing the name.  Once that's
in, what should we use for the built-in default?  Here are some

  1. Something like %{LOCALSTATEDIR}/krb5/%{uid}/clkeytab

     This gets parameterization support for the client keytab right
     off the bat.  But it's not very memorable, and because it treads
     on the most poorly standardized part of the Unix filesystem, it's
     likely to be adjusted by each vendor.

  2. Still a file in /etc.  (Perhaps /etc/krb5.clkeytab for brevity.)

     This has the advantage of being nicely parallel to the default
     acceptor keytab.  You'll have to set default_client_keytab_name
     in krb5.conf to in order to avoid configuring daemons with
     environment variables (if they're running as different uids and
     need separate keytabs, that is), but that's also true for the
     default acceptor keytab.

  3. Nothing.  If you don't configure a name, there isn't one, and
     krb5_kt_client_default() returns an error.

     This might make sense if we think (1) and (2) are bad choices.

What are people's opinions?  I'm leaning away from (1) myself, and
would be fine with (2) or (3).

A relevant question is whether a system-wide default initiator keytab
ever makes sense.  A system-wide acceptor keytab makes sense when all
of the accepting daemons (which may be just sshd) are running as root.

More information about the krbdev mailing list