Keytab-based initiator creds design

Sam Hartman hartmans at MIT.EDU
Sat Jun 2 10:05:03 EDT 2012

I'm not very comfortable with the first-key in a keytab rule. I
understand Russ's experience, but I suspect most of Stanford's
experience is in situations where Kerberos authentication is desired.
By picking the first key in a keytab especially for system services
you'll make it much more likely that Kerberos will be tried/used in
situations where it is not today.

I think you want to be careful about making it too easy for this code to
trigger automatically.

Like Russ, I believe storing in the default ccache is problematic and
believe that having a robust renewal strategy is important.

More information about the krbdev mailing list