Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5471

Re: interested in discussing some Kerberos improvements

From Russ Allbery <eagle@eyrie.org>
Newsgroups comp.protocols.kerberos
Subject Re: interested in discussing some Kerberos improvements
Date 2026-04-02 19:06 -0700
Organization The Eyrie
Message-ID <mailman.8.1775182004.1813.kerberos@mit.edu> (permalink)
References (3 earlier) <acrvfhQt/ddH8Kfi@ubby> <4ab956b5-f740-4182-bf7f-2ed1499235ee@geoffthorpe.net> <202603310142.62V1gCdW028597@hedwig.cmf.nrl.navy.mil> <0520e122-01cb-4ecb-81fe-b38cddb744ff@geoffthorpe.net> <87o6k0n6fm.fsf@hope.eyrie.org>

Show all headers | View raw

Geoffrey Thorpe <geoff@geoffthorpe.net> writes:

> As I understand it, k5start will invoke kinit periodically to handle
> credential refresh, and so if kinit is configured to use pkinit to get
> creds, then it would pick up the cert and key from the file system each
> time kinit is invoked (rather than them being read only once when
> k5start is first run). Is that correct? If so, that's once less feature
> to worry about. :-)

k5start itself does not run kinit. It uses the Kerberos library calls
directly. I am dubious that it would work with PKINIT from a file without
some code changes. (Although also I'm not sure I understand the security
model of using a PKINIT cert on disk and not a keytab.)

-- 
Russ Allbery (eagle@eyrie.org)             <https://www.eyrie.org/~eagle/>

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: interested in discussing some Kerberos improvements Russ Allbery <eagle@eyrie.org> - 2026-04-02 19:06 -0700

csiph-web