hardware recommendation to run MIT KDC
crawford at fnal.gov
Wed Aug 29 18:02:14 EDT 2007
On Aug 29, 2007, at 4:12 PM, John Hascall wrote:
>> When I ran the KDCs here, I always configured them with no paging
>> space, the better to quantify the impact of a hypothetical theft of
>> the machine.
> Was your concern that there might have been a swap-out
> during a period that kadmind held a password in cleartext
> when setting a password?
The backup KDCs that were not in locked racks in access-controlled
computer rooms had no stash files either. Their master keys had to be
entered manually. (They exist to provide service continuity in the
event of a network partition. One of them is 1/2 mile underground,
400 miles from the master KDC. Network partition is a concern.)
More information about the krbdev