Creating GSSAPI initiate credential using keytab entry--how should this work
rra at stanford.edu
Wed Mar 10 15:01:40 EST 2010
Simo Sorce <ssorce at redhat.com> writes:
> Russ Allbery <rra at stanford.edu> wrote:
>> I suspect the second path will vary widely between systems. For
>> instance, Linux systems following the File Hierarchy Standard would not
>> be permitted to use /var/krb5, and I think the most reasonable
>> interpretation of the FHS would be that persistent keytabs are
>> configuration files and therefore must be in /etc.
> /var/lib/krb5 would probably be ok.
Yes, if you don't think keytabs are configuration files.
> I am not so positive keytabs are configuration files though. They are
> more like data if you ask me, you could say they are micro-databases.
Authorization material has always been treated as a configuration file on
Linux systems, IMO. Configured database passwords, usernames, and similar
sorts of legacy credentials are fairly uniformly in configuration files in
/etc. Likewise for system X.509 certificates and, for Debian at least,
the PGP keys used to verify package downloads (and, for that matter,
/etc/shadow). Most tellingly, the system keytab is always a configuration
file in /etc and has been for many years.
With my Debian Policy hat on, I'd object to a default location in /var for
persistent keytabs. /etc/keytabs or (probably better) /etc/krb5/keytabs
would be my recommendation, with a legacy exception for /etc/krb5.keytab.
All that aside, though, I really like Nico's original point. I think
having a default location and naming convention for keytabs would be very
useful and would solve a lot of annoying problems.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev