[39594] in Kerberos
Re: interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Apr 2 22:08:00 2026
From: Russ Allbery <eagle@eyrie.org>
To: Geoffrey Thorpe <geoff@geoffthorpe.net>
Cc: kenh@cmf.nrl.navy.mil, kerberos@mit.edu
In-Reply-To: <0520e122-01cb-4ecb-81fe-b38cddb744ff@geoffthorpe.net> (Geoffrey
Thorpe's message of "Thu, 2 Apr 2026 18:18:10 -0400")
Date: Thu, 02 Apr 2026 19:06:37 -0700
Message-ID: <87o6k0n6fm.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Geoffrey Thorpe <geoff@geoffthorpe.net> writes:
> As I understand it, k5start will invoke kinit periodically to handle
> credential refresh, and so if kinit is configured to use pkinit to get
> creds, then it would pick up the cert and key from the file system each
> time kinit is invoked (rather than them being read only once when
> k5start is first run). Is that correct? If so, that's once less feature
> to worry about. :-)
k5start itself does not run kinit. It uses the Kerberos library calls
directly. I am dubious that it would work with PKINIT from a file without
some code changes. (Although also I'm not sure I understand the security
model of using a PKINIT cert on disk and not a keytab.)
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
