Creating GSSAPI initiate credential using keytab entry--how should this work
Russ Allbery
rra at stanford.edu
Wed Mar 10 14:36:09 EST 2010
Nicolas Williams <Nicolas.Williams at sun.com> writes:
> The main issue is: how to find the correct keytab. Using an environment
> variable will do, but I'd rather have well-known locations for user
> keytabs, such as:
> /var/run/krb5/keytabs/<user>/keytab
> /var/krb5/keytabs/<user>/keytab
> The /var/run paths would be nice for system-managed temporary keytabs
> (think of a PAM module stashing away your keys for subsequent use; I'm
> not promoting this, but I'd like it to be possible). The /var/krb5
> paths would be nice for persistent user keytabs.
I suspect the second path will vary widely between systems. For instance,
Linux systems following the File Hierarchy Standard would not be permitted
to use /var/krb5, and I think the most reasonable interpretation of the
FHS would be that persistent keytabs are configuration files and therefore
must be in /etc.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list