krb5-1.12.1 and client keytab file
Greg Hudson
ghudson at MIT.EDU
Fri May 30 14:08:20 EDT 2014
On 05/30/2014 01:38 PM, squidmobile at fastmail.fm wrote:
> the bad news is that it did not always work quite as expected.
All of the behaviors you describe are intended, but they could probably
be documented better.
> KRB5CCNAME=MEMORY: KRB5_CLIENT_KTNAME=some.key.file \
> app-with-gssapi-calls
> this worked extemely well. no clashes occured with any other tgt,
> with either the FILE:... or DIR:... syntax.
You might want to give the memory ccache a name (MEMORY:mycache),
although I guess the empty name works too.
> however, i believe
> some dialects of unix make all of memory available via things like
> /dev/kmem or /proc/core, which could pose security issues...
Not a concern. Your process's memory is at least as secure as the files
it reads from.
> one other thought: what happens to app-with-gssapi-calls if it
> runs past the time limit for the tgt obtained by this mechanism?
The KRB5_CLIENT_KTNAME mechanism will renew the TGT when it is halfway
to expired. So if you get ten-hour tickets by default, the resulting
connection should be valid for at least five hours, if the application
even checks.
More information about the Kerberos
mailing list