Keytabs in Kerberos
Booker Bense
bbense at SLAC.Stanford.EDU
Fri May 2 17:20:32 EDT 2003
On Thu, 1 May 2003, Ken Raeburn wrote:
> silvio at gdora.com.br (Silvio Fonseca) writes:
> > There's a way to use a "personal" keytab, I mean, how I make
> > the kerberized programs to look for keytabs not only in
> > /etc/krb5.keytab but to others files as well (something like a
> > failover in keytabs to look first for the system-wide file and then
> > to the personal one).
>
> That's something that I think should be made configurable someday,
> without requiring environment variables or anything like that just to
> be able to run a server as a non-root user. I'm not sure how it should
> be set up though. Perhaps some data in krb5.conf mapping the
> principal name to the keytab name, like:
>
> [libdefaults]
> keytabs = {
> host/* = KEYTAB:/etc/krb5.keytab
> ftp/* = KEYTAB:/etc/ftp.keytab
> imap/* = KEYTAB:/etc/imapd/keytab
> pop/* = SRVTAB:/etc/pop.srvtab
> */* = KEYTAB:/etc/krb5.keytab
> * = KEYTAB:~/.k5keytab
> }
>
> Just an idea....
- Doesn't it make more sense for this to go in the appdefaults
section? Or maybe not, since it's being used by the library
api and not the applications....
- Booker C. Bense
More information about the Kerberos
mailing list