Creating GSSAPI initiate credential using keytab entry--how should this work
rra at stanford.edu
Wed Mar 10 15:06:40 EST 2010
Nicolas Williams <Nicolas.Williams at sun.com> writes:
> But we're talking about _user_ content, not system content.
Ah, I see, you said persistent user keytabs and I missed the user (or,
rather, interpreted it to mean application users used for privilege
separation by the system administrator, not regular login users).
> Such contents is best placed in $HOME, but then you get into a catch-22
> if you need [fresh] credentials to access $HOME, and, of course, you'd
> want to encrypt such credentials in case they are not confidentiality-
> protected on the wire. It's easier to use local storage, and /var seems
> right for that. Personally, I'd disallow persistent user keytabs and go
> with /var/run only as a matter of _policy_, but I think the system
> should support persistent user keytabs as well.
I agree that the waters are muddier if one is talking about general shell
users creating keytabs for their personal use. I would still create
per-user directories in /etc for this, personally, but I think the FHS
would accept either answer.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev