Default client keytab name

Danilo Almeida dalmeida at MIT.EDU
Sat Jul 21 15:49:00 EDT 2012


I like your proposal, including your preferences wrt 1, 2, and 3 with just
one exception.  I do not like "clkeytab".  I would prefer to expand that to
""client.keytab".  For example:

  1. %{LOCALSTATEDIR}/krb5/%{uid}/client.keytab

  2. /etc/krb5.client.keytab

- Danilo

-----Original Message-----
From: krbdev-bounces at MIT.EDU [mailto:krbdev-bounces at MIT.EDU] On Behalf Of
ghudson at MIT.EDU
Sent: Saturday, July 21, 2012 7:30 AM
To: krbdev at
Subject: Default client keytab name

For the keytab initiation project, we created a new concept called the
default client keytab.  Currently, the hardcoded value (if there's no
$KRB5_CLIENT_KTNAME or default_client_keytab_name profile setting) is
/etc/krb5.client-keytab, which is just a placeholder.

Soon there will be support for parameterizing the name.  Once that's
in, what should we use for the built-in default?  Here are some

  1. Something like %{LOCALSTATEDIR}/krb5/%{uid}/clkeytab

     This gets parameterization support for the client keytab right
     off the bat.  But it's not very memorable, and because it treads
     on the most poorly standardized part of the Unix filesystem, it's
     likely to be adjusted by each vendor.

  2. Still a file in /etc.  (Perhaps /etc/krb5.clkeytab for brevity.)

     This has the advantage of being nicely parallel to the default
     acceptor keytab.  You'll have to set default_client_keytab_name
     in krb5.conf to in order to avoid configuring daemons with
     environment variables (if they're running as different uids and
     need separate keytabs, that is), but that's also true for the
     default acceptor keytab.

  3. Nothing.  If you don't configure a name, there isn't one, and
     krb5_kt_client_default() returns an error.

     This might make sense if we think (1) and (2) are bad choices.

What are people's opinions?  I'm leaning away from (1) myself, and
would be fine with (2) or (3).

A relevant question is whether a system-wide default initiator keytab
ever makes sense.  A system-wide acceptor keytab makes sense when all
of the accepting daemons (which may be just sshd) are running as root.
krbdev mailing list             krbdev at

More information about the krbdev mailing list