Is a keytab file encrypted?
Jeffrey Altman
jaltman at secure-endpoints.com
Fri Jul 21 12:27:32 EDT 2017
On 7/21/2017 11:13 AM, Charles Hedrick wrote:
> The argument makes sense.
>
> However I am disturbed by the fact that a keytab can be used anywhere. If someone manages to become root on one machine, I’d like them not to be able to do things on other machines. I’m in an environment where we have systems administered by users, and unattended public workstations.
>
> That makes me unwilling to tell users to create key tables for cron jobs.
Sites have implemented a wide variety of approaches to authenticating
cron jobs. The cron process is specific to a host and is not the user.
As such some sites provide tooling that issues host specific principals
for such use with cron:
user/cron/hostname at REALM
is a common format. It is then up to the service receiving such a
principal to ensure that the authenticating client is in fact connecting
from the specified host. Authorization rules can be applied as desired
to either grant specific permissions to
user/cron/hostname at REALM
user/cron/*@REALM
user/*/*@REALM
with appropriate name folding.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4081 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20170721/476f86de/attachment.bin
More information about the Kerberos
mailing list