Default client keytab name

Nico Williams nico at
Sat Jul 21 21:19:55 EDT 2012

On Sat, Jul 21, 2012 at 9:29 AM,  <ghudson at> wrote:
> Soon there will be support for parameterizing the name.  Once that's
> in, what should we use for the built-in default?  Here are some
> options:

I vote for 1.  First, some of us already do this, using $KRB5_KTNAME,
so this would just be convenient.  Second, we're talking about
variable state, even if it changes rarely, not configuration, so I
think this belongs in /var.

Perhaps one could argue that secrets are rarely stored in /var and
that storing secrets there necessitates updating backup strategies.
But this would be true any time a new file with secrets is added even
in /etc.

The fact that the path in (1) is likely to get adjusted by vendors
doesn't bother me.  I would like to see krb5-config(1) have an option
to print the configured default path, and if it can be set in
configuration, then it should also have an option to print the one
currently in effect.  This will help portable applications like wallet
and krb5_admin, and it will help sysadmins' scripting.

> A relevant question is whether a system-wide default initiator keytab
> ever makes sense.  A system-wide acceptor keytab makes sense when all
> of the accepting daemons (which may be just sshd) are running as root.

The whole point of parametrizing this path is precisely that it makes
no sense to have a system-wide initiator keytab default :)


More information about the krbdev mailing list