On Mon, Mar 30, 2026 at 05:41:23PM -0400, Geoffrey Thorpe wrote:
> Yeah I didn't mean stateless in the way you're interpreting it, I get what
> you mean. It's only "stateless" in the sense that the typical orchestration
> problem of managing a KDC, i.e. registering and deregistering client and
> service principals in the KDC database, is avoidable. [...]
I would call this read-only KDCs, or mostly-read-only KDCs.
> > > * a persistent, PKI-based kinit - i.e. where an instance of kinit ("kinit
> > > -C" in heimdal) will automatically renegotiate and update tickets over
> > > time
> > > to respect the key-rotiation period, and will reread the x509v3 cred each
> > > time (so that any updates to the local PKI cred also get picked up).
> >
> > I'm not sure what this is referring to. MIT Kerberos supports using
> > PKINIT in kinit. Neither MIT nor Heimdal will automatically refresh
> > user certificates though, but Heimdal does have kx509 and an HTTP-based
> > online CA as well which can do that -- it's just Heimdal's kinit does
> > not do what you're asking for.
>
> Perhaps I didn't express it well. The feature I'm relying on is _not_ that
> kinit refreshes the x509v3 cred itself, but that it re-reads the cert and
> key periodically from the FS rather than reading only once at startup. I.e.
FS?
> the assumption is that the pkinit cert+key is going to be refreshed "by
> other means" (in my case via HCP attestation, in other cases it'll be
> whatever PKI tooling keeps creds up to date), so what I'm relying on is that
> the kinit instance will consume those updates to the cred over time (from
> the FS), without requiring a restart.
> The heimdal "kinit -C" does seem to do this.
Are you referring to the mode of kinit where it runs a command and keeps
it supplied with fresh tickets? MIT Kerberos' kinit does not have that
mode.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
