[36351] in Kerberos
Re: Machine authentication
daemon@ATHENA.MIT.EDU (Dameon Wagner)
Sat Aug 9 11:21:10 2014
Date: Sat, 9 Aug 2014 16:20:48 +0100
From: Dameon Wagner <dameon.wagner@it.ox.ac.uk>
To: kerberos@mit.edu
Message-ID: <20140809152048.GD5127@maia.oucs.ox.ac.uk>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <53E5A663.2000807@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, Aug 09 2014 at 00:41:07 -0400, Greg Hudson scribbled
in "Re: Machine authentication":
> On 08/08/2014 03:37 AM, jarek wrote:
> > Is it possible to receive ticket for host principal and use
> > this ticket for authentication ?
>
> Yes. Normally this is done using a keytab, in one of three ways:
>
> * krb5_get_init_creds_keytab from the application code.
>
> * kinit -k from the command line. (This will only work until the
> resulting tickets expire.)
>
> * Client keytab initiation (new in MIT krb5 1.11). Set the
> environment variable KRB5_CLIENT_KTNAME to FILE:/path/to/keytab, and
> set KRB5CCNAME to FILE:/some/path/writable/by/daemon/process. Don't
> create the ccache. The GSS application will create it automatically
> using the keytab, and will refresh it when needed.
Another option that sits somewhere between options 2 and 3 is to use
Russ' very useful k5start tool [0] which will "Obtain and optionally
keep active a Kerberos v5 ticket" by creating a CCache and renewing it
when necessary. The page [0] explains it all better than I can, so
probably best to just give it a read through.
Cheers.
Dameon.
[0](http://www.eyrie.org/~eagle/software/kstart/)
--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dameon Wagner, Systems Development and Support Team
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
