Keytabs in Kerberos

Ken Raeburn raeburn at MIT.EDU
Thu May 1 17:40:19 EDT 2003


silvio at gdora.com.br (Silvio Fonseca) writes:
> 	There's a way to use a "personal" keytab, I mean, how I make
> the kerberized programs to look for keytabs not only in
> /etc/krb5.keytab but to others files as well (something like a
> failover in keytabs to look first for the system-wide file and then
> to the personal one).

That's something that I think should be made configurable someday,
without requiring environment variables or anything like that just to
be able to run a server as a non-root user.  I'm not sure how it should
be set up though.  Perhaps some data in krb5.conf mapping the
principal name to the keytab name, like:

  [libdefaults]
    keytabs = {
      host/* = KEYTAB:/etc/krb5.keytab
      ftp/* = KEYTAB:/etc/ftp.keytab
      imap/* = KEYTAB:/etc/imapd/keytab
      pop/* = SRVTAB:/etc/pop.srvtab
      */* = KEYTAB:/etc/krb5.keytab
      * = KEYTAB:~/.k5keytab
    }

Just an idea....

Ken


More information about the Kerberos mailing list