Question on security of keytab file.
John Hascall
john at iastate.edu
Thu Nov 8 15:50:54 EST 2007
> The question is while providing support for a service to be a kerberized
> service -
> what are the security issues/advantages by providing the option for the
> user to have individual keytab file (can be different from
> /etc/krb5.keytab and holds the key of that particular service) for the
> kerberized service Vs using the default keytab file (/etc/krb5.keytab).
>
> Is it necessary to have seperate keytab file for the kerberized service
> different from the default keytab file (/etc/krb5.keytab for linux) ? i.e
> does it provide any more security that already root only access
> /etc/krb5.keytab.
One time when you may want/need to use a keytab file
other than /etc/krb5.keytab is if the service runs
as a user other than root -- although a lot of times
running as a different user is coupled with running
in a chroot-jail so the file can still be known to
the application as /etc/krb5.keytab -- for example,
from one of my servers
vs-1# ls -l /var/chroot/accessd/etc/krb5.keytab
-r-------- 1 accessd accessd 137 Oct 30 11:47 /var/chroot/accessd/etc/krb5.keytab
John
More information about the Kerberos
mailing list