Creating GSSAPI initiate credential using keytab entry--how should this work
Nicolas.Williams at sun.com
Wed Mar 10 14:14:32 EST 2010
On Wed, Mar 10, 2010 at 02:04:04PM -0500, Greg Hudson wrote:
> On Wed, 2010-03-10 at 12:36 -0500, Sam Hartman wrote:
> > Would it be a good idea to wrap all this logic into
> > gss_acquire_credential so that if you have a keytab you can just use it
> > as an initiator?
> > I.E. would that be a good improvement for the future?
> Possibly. Or we could do the credentials-cache-backed-by-a-keytab idea.
Solaris already does acquire a TGT using a keytab, but only when
getuid() == 0. This could/should be generalized.
The main issue is: how to find the correct keytab. Using an environment
variable will do, but I'd rather have well-known locations for user
keytabs, such as:
The /var/run paths would be nice for system-managed temporary keytabs
(think of a PAM module stashing away your keys for subsequent use; I'm
not promoting this, but I'd like it to be possible). The /var/krb5
paths would be nice for persistent user keytabs.
> I think it requires at least some thought, though. Currently our GSSAPI
> library only does TGS requests, not AS requests. If it start doing AS
> requests, then it becomes a consumer of the gic_opt framework and the
> preauth framework, and there are some (probably manageable) implications
That's not been a problem for Solaris.
More information about the krbdev