Is a keytab file encrypted?
eagle at eyrie.org
Fri Jul 21 15:42:38 EDT 2017
Charles Hedrick <hedrick at rutgers.edu> writes:
> The argument makes sense.
> However I am disturbed by the fact that a keytab can be used
> anywhere. If someone manages to become root on one machine, I’d like
> them not to be able to do things on other machines. I’m in an
> environment where we have systems administered by users, and unattended
> public workstations.
> That makes me unwilling to tell users to create key tables for cron
Yeah, if you're worried about portable keys, that's when you probably want
to do something with a system TPM. If you go down that path, I'd probably
try to figure out some way to do PKINIT using a TLS certificate stored in
the TPM. I'm not aware of anyone who has already done that work, but it
would be a pretty interesting project.
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos