Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5467
| From | Nico Williams <nico@cryptonector.com> |
|---|---|
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: interested in discussing some Kerberos improvements |
| Date | 2026-03-30 16:47 -0500 |
| Organization | TNet Consulting |
| Message-ID | <mailman.3.1774907270.1813.kerberos@mit.edu> (permalink) |
| References | <CAH2n15zygW0KP4p5m+5JD40Js_QFbG-t45jGhHtABsZoDXSnCw@mail.gmail.com> <acWS6N8cVWmtHZ4g@ubby> <990e6964-c1f6-4fe3-adc9-4c3f9109a74b@geoffthorpe.net> <acrvfhQt/ddH8Kfi@ubby> |
On Mon, Mar 30, 2026 at 05:41:23PM -0400, Geoffrey Thorpe wrote:
> Yeah I didn't mean stateless in the way you're interpreting it, I get what
> you mean. It's only "stateless" in the sense that the typical orchestration
> problem of managing a KDC, i.e. registering and deregistering client and
> service principals in the KDC database, is avoidable. [...]
I would call this read-only KDCs, or mostly-read-only KDCs.
> > > * a persistent, PKI-based kinit - i.e. where an instance of kinit ("kinit
> > > -C" in heimdal) will automatically renegotiate and update tickets over time
> > > to respect the key-rotiation period, and will reread the x509v3 cred each
> > > time (so that any updates to the local PKI cred also get picked up).
> >
> > I'm not sure what this is referring to. MIT Kerberos supports using
> > PKINIT in kinit. Neither MIT nor Heimdal will automatically refresh
> > user certificates though, but Heimdal does have kx509 and an HTTP-based
> > online CA as well which can do that -- it's just Heimdal's kinit does
> > not do what you're asking for.
>
> Perhaps I didn't express it well. The feature I'm relying on is _not_ that
> kinit refreshes the x509v3 cred itself, but that it re-reads the cert and
> key periodically from the FS rather than reading only once at startup. I.e.
FS?
> the assumption is that the pkinit cert+key is going to be refreshed "by
> other means" (in my case via HCP attestation, in other cases it'll be
> whatever PKI tooling keeps creds up to date), so what I'm relying on is that
> the kinit instance will consume those updates to the cred over time (from
> the FS), without requiring a restart.
> The heimdal "kinit -C" does seem to do this.
Are you referring to the mode of kinit where it runs a command and keeps
it supplied with fresh tickets? MIT Kerberos' kinit does not have that
mode.
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: interested in discussing some Kerberos improvements Nico Williams <nico@cryptonector.com> - 2026-03-30 16:47 -0500
csiph-web