Keytabs in Kerberos

Dr. Greg Wettstein greg at wind.enjellic.com
Fri May 2 09:26:15 EDT 2003


On May 1,  5:40pm, Ken Raeburn wrote:
} Subject: Re: Keytabs in Kerberos

> That's something that I think should be made configurable someday,
> without requiring environment variables or anything like that just to
> be able to run a server as a non-root user.  I'm not sure how it should
> be set up though.  Perhaps some data in krb5.conf mapping the
> principal name to the keytab name, like:
> 
>   [libdefaults]
>     keytabs = {
>       host/* = KEYTAB:/etc/krb5.keytab
>       ftp/* = KEYTAB:/etc/ftp.keytab
>       imap/* = KEYTAB:/etc/imapd/keytab
>       pop/* = SRVTAB:/etc/pop.srvtab
>       */* = KEYTAB:/etc/krb5.keytab
>       * = KEYTAB:~/.k5keytab
>     }
> 
> Just an idea....

Actually a great idea, would the core team accept patches if they were
to be worked up?

The Hurderos Project is facing a similar problem with keytabs.  The
service identities need the keytab entry both for authentication
purposes as well as for generating the authorization identity.

I was worried about this issue from a security perspective since some
of the applications which needed to carry out authentication and
authorization were non-root processes.  The ability for an application
to have their own keytab would enable the keys to be partitioned
according to application and or security requirements.

> Ken

Greg

}-- End of excerpt from Ken Raeburn

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-4950            WWW: http://www.enjellic.com
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"There are two things that are infinite; Human stupidity and the
universe.  And I'm not sure about the universe."
                                -- Albert Einstein


More information about the Kerberos mailing list