GSSAPI keytab location per application

Peger, Daniel Heinrich dpeger at cosa.de
Thu Feb 15 11:32:44 EST 2007


Hi,

if a service (GSS_C_HOSTBASED_SERVICE) tries to authenticate itself in
order to establish a security context the GSSAPI methods automatically
try to find the according principal in a keytab file. The location of
the keytab is either determined by the KRB5_KTNAME environment variable
(Windows) or the default_keytab_name in the krb5.conf (Unix).

Is there any way to specify a keytab different than the default one on a
per application basis? Since this is all about security a single keytab
containing all the keys for the service principals of a machine might
easily become compromised. Thus I'm looking for a way to specify a
configuration setting that tells an application where to find the
information it needs to authenticate itself. But so far I found no way
using the GSSAPI C bindings. Does this functionallity exist in the MIT
Kerberos 5 API?

Best Regards,
Daniel.
 
E-Mail Disclaimer 
 
Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene 
Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestaetigung 
reichen wir Ihnen gerne auf Anforderung in schriftlicher Form nach. 
Beachten Sie bitte, dass jede Form der unautorisierten Nutzung, 
Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser 
E-Mail nicht gestattet ist. Diese Nachricht ist ausschliesslich fuer 
den bezeichneten Adressaten oder dessen Vertreter bestimmt. Sollten Sie 
nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein, 
so bitten wir Sie, sich mit dem Absender der E-Mail in Verbindung zu setzen.


For legal and security reasons the information provided in this e-mail is not 
legally binding. Upon request we would be pleased to provide you with a legally 
binding confirmation in written form. Any form of unauthorised use, publication, 
reproduction, copying or disclosure of the content of this e-mail is not permitted. 
This message is exclusively for the person addressed or their representative. 
If you are not the intended recipient of this message and its contents, please 
notify the sender immediately.





More information about the Kerberos mailing list