Creating GSSAPI initiate credential using keytab entry--how should this work
Simo Sorce
ssorce at redhat.com
Wed Mar 10 14:46:31 EST 2010
On Wed, 10 Mar 2010 11:36:09 -0800
Russ Allbery <rra at stanford.edu> wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
>
> > The main issue is: how to find the correct keytab. Using an
> > environment variable will do, but I'd rather have well-known
> > locations for user keytabs, such as:
>
> > /var/run/krb5/keytabs/<user>/keytab
> > /var/krb5/keytabs/<user>/keytab
>
> > The /var/run paths would be nice for system-managed temporary
> > keytabs (think of a PAM module stashing away your keys for
> > subsequent use; I'm not promoting this, but I'd like it to be
> > possible). The /var/krb5 paths would be nice for persistent user
> > keytabs.
>
> I suspect the second path will vary widely between systems. For
> instance, Linux systems following the File Hierarchy Standard would
> not be permitted to use /var/krb5, and I think the most reasonable
> interpretation of the FHS would be that persistent keytabs are
> configuration files and therefore must be in /etc.
/var/lib/krb5 would probably be ok.
I am not so positive keytabs are configuration files though.
They are more like data if you ask me, you could say they are
micro-databases.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list