Keytab-based initiator creds design

[Simo Sorce]

On Sat, 2012-06-02 at 15:55 -0500, Nico Williams wrote:
> On Sat, Jun 2, 2012 at 11:50 AM, Greg Hudson <ghudson at mit.edu> wrote:
> > Okay.  Backing off a bit further from the Heimdal model, I have two
> > other ideas:
> >
> > 1. You have to set KRB5_KEYTAB_PRINCIPAL.  The default ccache or
> > collection is used.
> 
> I'd rather see two env vars: KRB5_PRINCIPAL and KRB5_USE_KEYTAB.  I
> don't see why the principal goes with the keytab -- any ccache that
> can store tickets for multiple client principals could also benefit
> from such an env var.  OR, perhaps we need KRB5_{CCACHE,
> KEYTAB}_PRINCIPAL.

I am not sure what's the point of KRB5_USE_KEYTAB ?
If a keytab is available and KRB5_PRINCIPAL is set it seem obvious to me
that the only option is to use the keytab and only if that principal is
available in it, no?
In what csae would you define KRB5_PRINCIPAL but not KRB5_USE_KEYTAB ?

> As for (2), I think I'd also like to have a config file listing which
> users/apps expect to be able to get creds with a keytab, and where to
> store them.

This looks excessive to me. It will force you to have also per user
config files (which I prefer to avoid) to override the system one.
An environment variable seem the simplest solution at this point, and it
gives you control over each app as you want, even if it requires
configuring each app to start with it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York