[39589] in Kerberos
Re: interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Mar 30 17:48:04 2026
Date: Mon, 30 Mar 2026 16:47:42 -0500
From: Nico Williams <nico@cryptonector.com>
To: Geoffrey Thorpe <geoff@geoffthorpe.net>
Cc: kerberos@mit.edu
Message-ID: <acrvfhQt/ddH8Kfi@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <990e6964-c1f6-4fe3-adc9-4c3f9109a74b@geoffthorpe.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Mar 30, 2026 at 05:41:23PM -0400, Geoffrey Thorpe wrote:
> Yeah I didn't mean stateless in the way you're interpreting it, I get what
> you mean. It's only "stateless" in the sense that the typical orchestration
> problem of managing a KDC, i.e. registering and deregistering client and
> service principals in the KDC database, is avoidable. [...]
I would call this read-only KDCs, or mostly-read-only KDCs.
> > > * a persistent, PKI-based kinit - i.e. where an instance of kinit ("kinit
> > > -C" in heimdal) will automatically renegotiate and update tickets over time
> > > to respect the key-rotiation period, and will reread the x509v3 cred each
> > > time (so that any updates to the local PKI cred also get picked up).
> >
> > I'm not sure what this is referring to. MIT Kerberos supports using
> > PKINIT in kinit. Neither MIT nor Heimdal will automatically refresh
> > user certificates though, but Heimdal does have kx509 and an HTTP-based
> > online CA as well which can do that -- it's just Heimdal's kinit does
> > not do what you're asking for.
>
> Perhaps I didn't express it well. The feature I'm relying on is _not_ that
> kinit refreshes the x509v3 cred itself, but that it re-reads the cert and
> key periodically from the FS rather than reading only once at startup. I.e.
FS?
> the assumption is that the pkinit cert+key is going to be refreshed "by
> other means" (in my case via HCP attestation, in other cases it'll be
> whatever PKI tooling keeps creds up to date), so what I'm relying on is that
> the kinit instance will consume those updates to the cred over time (from
> the FS), without requiring a restart.
> The heimdal "kinit -C" does seem to do this.
Are you referring to the mode of kinit where it runs a command and keeps
it supplied with fresh tickets? MIT Kerberos' kinit does not have that
mode.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
