Keytab-based initiator creds design

Greg Hudson ghudson at MIT.EDU
Sat Jun 2 12:50:48 EDT 2012

On 06/02/2012 10:05 AM, Sam Hartman wrote:
> I think you want to be careful about making it too easy for this code to
> trigger automatically.

> Like Russ, I believe storing in the default ccache is problematic and
> believe that having a robust renewal strategy is important.

Okay.  Backing off a bit further from the Heimdal model, I have two
other ideas:

1. You have to set KRB5_KEYTAB_PRINCIPAL.  The default ccache or
collection is used.

2. You have to kinit -k with a new flag and make the resulting ccache
the default cache.  kinit sets a ccache config var remembering the name
of the keytab.  The GSS initiator code recognizes this variable and
tries to refresh the TGT with the keytab if it's more than halfway to

Some details: can this also work with kinit -S and do we need additional
config state to make that happen?  Do we need additional config state to
avoid trying to refresh too frequently, given that refreshing can fail?

More information about the krbdev mailing list