[39590] in Kerberos
Re: interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Geoffrey Thorpe)
Mon Mar 30 17:58:58 2026
Message-ID: <4ab956b5-f740-4182-bf7f-2ed1499235ee@geoffthorpe.net>
Date: Mon, 30 Mar 2026 17:57:33 -0400
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
Cc: kerberos@mit.edu
Content-Language: en-US
From: Geoffrey Thorpe <geoff@geoffthorpe.net>
In-Reply-To: <acrvfhQt/ddH8Kfi@ubby>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 3/30/26 5:47 PM, Nico Williams wrote:
> On Mon, Mar 30, 2026 at 05:41:23PM -0400, Geoffrey Thorpe wrote:
>> Yeah I didn't mean stateless in the way you're interpreting it, I get what
>> you mean. It's only "stateless" in the sense that the typical orchestration
>> problem of managing a KDC, i.e. registering and deregistering client and
>> service principals in the KDC database, is avoidable. [...]
>
> I would call this read-only KDCs, or mostly-read-only KDCs.
That's the idea. When I wrote "stateless" it was with respect to the
database state, not protocol state. And even then, there's some hand
waving implied.
>> Perhaps I didn't express it well. The feature I'm relying on is _not_ that
>> kinit refreshes the x509v3 cred itself, but that it re-reads the cert and
>> key periodically from the FS rather than reading only once at startup. I.e.
>
> FS?
file system
>> the assumption is that the pkinit cert+key is going to be refreshed "by
>> other means" (in my case via HCP attestation, in other cases it'll be
>> whatever PKI tooling keeps creds up to date), so what I'm relying on is that
>> the kinit instance will consume those updates to the cred over time (from
>> the FS), without requiring a restart.
>> The heimdal "kinit -C" does seem to do this.
>
> Are you referring to the mode of kinit where it runs a command and keeps
> it supplied with fresh tickets? MIT Kerberos' kinit does not have that
> mode.
Yes that's what I'm referring to. If it's not yet supported by the MIT
kinit, I would certainly recommend that it be added, it's very helpful.
Cheers,
Geoff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
