Keytab-based initiator creds design

Nico Williams nico at cryptonector.com
Sat Jun 2 16:55:48 EDT 2012


On Sat, Jun 2, 2012 at 11:50 AM, Greg Hudson <ghudson at mit.edu> wrote:
> Okay.  Backing off a bit further from the Heimdal model, I have two
> other ideas:
>
> 1. You have to set KRB5_KEYTAB_PRINCIPAL.  The default ccache or
> collection is used.

I'd rather see two env vars: KRB5_PRINCIPAL and KRB5_USE_KEYTAB.  I
don't see why the principal goes with the keytab -- any ccache that
can store tickets for multiple client principals could also benefit
from such an env var.  OR, perhaps we need KRB5_{CCACHE,
KEYTAB}_PRINCIPAL.

As for (2), I think I'd also like to have a config file listing which
users/apps expect to be able to get creds with a keytab, and where to
store them.

Nico
--



More information about the krbdev mailing list