Keytabs in Kerberos
Dr. Greg Wettstein
greg at wind.enjellic.com
Fri May 2 09:26:15 EDT 2003
On May 1, 5:40pm, Ken Raeburn wrote:
} Subject: Re: Keytabs in Kerberos
> That's something that I think should be made configurable someday,
> without requiring environment variables or anything like that just to
> be able to run a server as a non-root user. I'm not sure how it should
> be set up though. Perhaps some data in krb5.conf mapping the
> principal name to the keytab name, like:
>
> [libdefaults]
> keytabs = {
> host/* = KEYTAB:/etc/krb5.keytab
> ftp/* = KEYTAB:/etc/ftp.keytab
> imap/* = KEYTAB:/etc/imapd/keytab
> pop/* = SRVTAB:/etc/pop.srvtab
> */* = KEYTAB:/etc/krb5.keytab
> * = KEYTAB:~/.k5keytab
> }
>
> Just an idea....
Actually a great idea, would the core team accept patches if they were
to be worked up?
The Hurderos Project is facing a similar problem with keytabs. The
service identities need the keytab entry both for authentication
purposes as well as for generating the authorization identity.
I was worried about this issue from a security perspective since some
of the applications which needed to carry out authentication and
authorization were non-root processes. The ability for an application
to have their own keytab would enable the keys to be partitioned
according to application and or security requirements.
> Ken
Greg
}-- End of excerpt from Ken Raeburn
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-4950 WWW: http://www.enjellic.com
FAX: 701-281-3949 EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"There are two things that are infinite; Human stupidity and the
universe. And I'm not sure about the universe."
-- Albert Einstein
More information about the Kerberos
mailing list