Possible enhancement request for extra krb5.conf parameter support for kinit

Neng Xue neng.xue at oracle.com
Wed May 13 17:14:28 EDT 2015

Hi Greg,

Thanks for the comments!

On 05/13/15 11:02 AM, Greg Hudson wrote:
> On 05/12/2015 07:37 PM, Neng Xue wrote:
>> I am Neng Xue who works in Oracle Solaris Security group. Recently when
>> I was working on a kerberos related project I noticed that Solaris
>> kerberos has a quite handy krb5.conf [appdefaults] parameter support for
>> kinit command:
>> forwardable=[true | false]
>> Can forward tickets to a remote server.
>> proxiable=[true | false]
>> Sets the proxiable flag in all tickets.
>> no_addresses=[true | false]
>> Creates tickets with no address bindings.
> We already support forwardable, proxiable, and noaddresses options under
> [libdefaults].
Yes, but we still think this per application parameter support might be 
useful in some cases. If we can provide the implementation, do you think 
MIT kerberos team will accept the pull request?
>> renewable=[true | false]
>> Creates a TGT that can be renewed (prior to the ticket expiration time).
> We support a renew_lifetime option under [libdefaults].  I don't know
> what it would mean to request a renewable ticket without a specific
> renewable lifetime.
As far as I can tell from Solaris kerberos, if there is no renewable 
lifetime specified from kinit command line. It will then take the 
maximum renewable lifetime (7 days by default).

Neng Xue
Oracle Solaris Software Engineer
Santa Clara, CA, USA

More information about the krbdev mailing list