hardware recommendation to run MIT KDC

Matt Crawford crawford at fnal.gov
Wed Aug 29 18:02:14 EDT 2007

On Aug 29, 2007, at 4:12 PM, John Hascall wrote:

>> When I ran the KDCs here, I always configured them with no paging
>> space, the better to quantify the impact of a hypothetical theft of
>> the machine.
> Was your concern that there might have been a swap-out
> during a period that kadmind held a password in cleartext
> when setting a password?

The backup KDCs that were not in locked racks in access-controlled  
computer rooms had no stash files either. Their master keys had to be  
entered manually. (They exist to provide service continuity in the  
event of a network partition. One of them is 1/2 mile underground,  
400 miles from the master KDC. Network partition is a concern.)

More information about the krbdev mailing list