Automatic keytab creation
rjsm at umich.edu
Tue Oct 23 00:56:21 EDT 2012
We here require the person reloading a machine to be authorized to reload
it. That means that we can ask for a principal and password to get
started. From there we have an internally developed system that we are
working to replace with wallet to handle our keytab creation for new hosts
and hosts that have changed names.
One other option we have looked at (and eventually are going to implement)
is giving hosts that are set to be reloaded a keytab that is authorized to
reload any host. This does pose some security concerns if other parts of
your environment aren't under some sort of acl control.
Ross Smith <rjsm at umich.edu>
College of Engineering - CAEN - Unix and Linux Support
On Mon, Oct 22, 2012 at 8:51 PM, Jaap Winius <jwinius at umrk.nl> wrote:
> On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote:
> > remctl doesn't, as yet, have support for anonymous PKINIT, although it's
> > something that I want to add.
> Then perhaps remctl is currently not part of a solution to this problem.
> Is there any way at all to automatically create a keytab on a newly
> installed host?
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos