[39593] in Kerberos
Re: interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Geoffrey Thorpe)
Thu Apr 2 18:18:40 2026
Message-ID: <0520e122-01cb-4ecb-81fe-b38cddb744ff@geoffthorpe.net>
Date: Thu, 2 Apr 2026 18:18:10 -0400
MIME-Version: 1.0
To: kenh@cmf.nrl.navy.mil
Content-Language: en-US
From: Geoffrey Thorpe <geoff@geoffthorpe.net>
Cc: kerberos@mit.edu
In-Reply-To: <202603310142.62V1gCdW028597@hedwig.cmf.nrl.navy.mil>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 3/30/26 9:42 PM, Ken Hornstein via Kerberos wrote:
>>> Are you referring to the mode of kinit where it runs a command and keeps
>>> it supplied with fresh tickets? MIT Kerberos' kinit does not have that
>>> mode.
>>
>> Yes that's what I'm referring to. If it's not yet supported by the MIT
>> kinit, I would certainly recommend that it be added, it's very helpful.
>
> Can't speak for anyone else, but we use "k5start" for this.
Ahh, that looks like the same feature, judging from the man page. Thanks.
As I understand it, k5start will invoke kinit periodically to handle
credential refresh, and so if kinit is configured to use pkinit to get
creds, then it would pick up the cert and key from the file system each
time kinit is invoked (rather than them being read only once when
k5start is first run). Is that correct? If so, that's once less feature
to worry about. :-)
Thanks
Geoff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
