On Mon, Oct 22, 2012 at 5:51 PM, Jaap Winius <[email protected]> wrote: > On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote: > >> remctl doesn't, as yet, have support for anonymous PKINIT, although it's >> something that I want to add. > > Then perhaps remctl is currently not part of a solution to this problem. > Is there any way at all to automatically create a keytab on a newly > installed host? >
Yes, but you have to leverage some kind of existing trust. (i.e. I trust foo, so I'll use foo to extend the trust to create a keytab. ) At SLAC we use a special ssh keypair to bootstrap the keytab installation process. I gave a talk about it a few years back. http://workshop.openafs.org/afsbpw07/talks/bbense.pdf Since each site is going to have different things that it "trusts", I think this is a problem that doesn't have a good general solution. To me it seems using some kind of public key is required, the trick is exactly how the public key gets deployed to the client. - Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
