Question on security of keytab file.
Roberto C. Sánchez
roberto at connexer.com
Thu Nov 8 20:21:17 EST 2007
On Thu, Nov 08, 2007 at 02:50:54PM -0600, John Hascall wrote:
>
> One time when you may want/need to use a keytab file
> other than /etc/krb5.keytab is if the service runs
> as a user other than root -- although a lot of times
> running as a different user is coupled with running
> in a chroot-jail so the file can still be known to
> the application as /etc/krb5.keytab -- for example,
> from one of my servers
>
> vs-1# ls -l /var/chroot/accessd/etc/krb5.keytab
> -r-------- 1 accessd accessd 137 Oct 30 11:47 /var/chroot/accessd/etc/krb5.keytab
>
One other thing to point out is that some services expect to have their
own keytab (for the reasons you mentioned). For example, OpenLDAP has
(at least on my Debian servers) a default keytab of
/etc/ldap/ldap.keytab.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20071108/144a487f/attachment.bin
More information about the Kerberos
mailing list