svn rev #25764: trunk/doc/rst_source/ krb_admins/ krb_basic/

tsitkova@MIT.EDU tsitkova at MIT.EDU
Wed Mar 14 15:18:09 EDT 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25764
Commit By: tsitkova
Log Message:
Created a new basic Kerberos concepts section and moved stash_file_def there.



Changed Files:
U   trunk/doc/rst_source/index.rst
D   trunk/doc/rst_source/krb_admins/stash_file_def.rst
A   trunk/doc/rst_source/krb_basic/
A   trunk/doc/rst_source/krb_basic/index.rst
A   trunk/doc/rst_source/krb_basic/stash_file_def.rst
Modified: trunk/doc/rst_source/index.rst
===================================================================
--- trunk/doc/rst_source/index.rst	2012-03-14 18:30:39 UTC (rev 25763)
+++ trunk/doc/rst_source/index.rst	2012-03-14 19:18:09 UTC (rev 25764)
@@ -13,6 +13,7 @@
    krb_users/index.rst
    krb_plugindev/index.rst
    krb_build/index.rst
+   krb_basic/index.rst
 
 .. toctree::
    :maxdepth: 1

Added: trunk/doc/rst_source/krb_basic/index.rst
===================================================================
--- trunk/doc/rst_source/krb_basic/index.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_basic/index.rst	2012-03-14 19:18:09 UTC (rev 25764)
@@ -0,0 +1,10 @@
+.. _basic_concepts:
+
+Basic Kerberos V5 concepts
+==========================
+
+
+.. toctree::
+   :maxdepth: 1
+
+   stash_file_def.rst

Copied: trunk/doc/rst_source/krb_basic/stash_file_def.rst (from rev 25763, trunk/doc/rst_source/krb_admins/stash_file_def.rst)
===================================================================
--- trunk/doc/rst_source/krb_basic/stash_file_def.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_basic/stash_file_def.rst	2012-03-14 19:18:09 UTC (rev 25764)
@@ -0,0 +1,23 @@
+.. _stash_definition:
+
+
+stash file
+============
+
+The stash file is a local copy of the master key that resides in
+encrypted form on the KDC's local disk.  The stash file is used to
+authenticate the KDC to itself automatically before starting the
+:ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons (e.g., as part of the
+machine's boot sequence).  The stash file, like the keytab file (see
+:ref:`keytab_file`) is a potential point-of-entry for a break-in, and
+if compromised, would allow unrestricted access to the Kerberos
+database.  If you choose to install a stash file, it should be
+readable only by root, and should exist only on the KDC's local disk.
+The file should not be part of any backup of the machine, unless
+access to the backup data is secured as tightly as access to the
+master password itself.
+
+.. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. 
+          This means that the KDC will not be able to start automatically, such as after a system reboot.
+
+

More information about the cvs-krb5 mailing list