a suggestion for reducing use of kdc.conf
Nico Williams
nico at cryptonector.com
Tue May 7 12:53:51 EDT 2013
On Tue, May 7, 2013 at 7:47 AM, Nathaniel McCallum
<npmccallum at redhat.com> wrote:
> Yes, but you would have a potential weakness if you placed your RADIUS
> secrets in a world-readable file.
Huh? Noooo, no passwords/secrets in config files please. The config
file should name a file where the secret(s) is(are) kept, which file
then can be made sure to be mode 0600 and handled (e.g., w.r.t.
backups, replication, ..., like any other file that contains sensitive
data. And if there's any way to abuse keytabs (heh) for this, go for
it.
(This is a big deal at Sun^H^H^HOracle, in Solaris engineering and at
PSARC. Or used to be.)
Nico
--
More information about the krbdev
mailing list