Common keytab file for all the application servers - Is itpossible???
Viswa
viswanatha.shankaranarayana at gmail.com
Tue Jan 3 00:24:28 EST 2006
I have a proposal. Let me know if this is a good idea to go about!
1. Generate seperate keytab file for each target.
2. Merge the keytabs into a common keytab file.
3. While configuring the target make sure they will use only the part
of the keytab ment for them.
This way the security is also not compromised.
Group,
Are there any other similar approaches?
Regards
Viswa
Markus Moeller wrote:
> This type of setup won't work. You have to differentiate between what is
> possible with Kerberos/GSSAPI and how are existing applications (e.g.
> telnet,ftp,HTTP) using it. With telnet,ftp,HTTP you are bound to DNS
> resolutions (A record and reverse, hosts files are possible but painful). If
> you write your own Kerberos/GSSAPI applications you can define it yourself
> and can do it independant of DNS.
>
> Regards
> Markus
>
> <sandypossible at gmail.com> wrote in message
> news:1136208949.823674.122820 at g44g2000cwa.googlegroups.com...
> > Hi,
> >
> > If I go for the same keytab knowing that there is compromise of
> > security, I have some questions.
> >
> > Assuming that I have a windows 2003 KDC. I have two linux machines. I
> > will add a user account and generate a keytab file using ktpass. Please
> > note that the ktpass tool requires us to specify host/<fqdn>. I will
> > now copy the same keytab file to both these linux machines. Now from
> > another windows XP I will try to connect to one linux machine using
> > telnet. My question is how will the windows XP machine connect to the
> > correct linux machine ? How will the identification of the correct
> > telnet server happen if both linux machines are running telnet daemon?
> >
> >
> > - Sandy.
> >
More information about the Kerberos
mailing list