Default client keytab name
Nico Williams
nico at cryptonector.com
Sat Jul 21 22:42:38 EDT 2012
On Sat, Jul 21, 2012 at 9:22 PM, Danilo Almeida <dalmeida at mit.edu> wrote:
> Some further refinement on my thinking:
>
> The acceptor keytab at /etc/krb5.keytab is locked down to root, right? So
> perhaps we should have uid 0's client keytab at /etc/krb5.client.keytab.
>
> If so, then option (2) could be the mirror of that for a root acceptor
> keytab. Then option 1 could be used for all uids != 0. In theory, an
> acceptor keytab could be stored there as well. The file part of the name
> could be <uid>.keytab for acceptor and <uid>.client.keytab for initiator.
> This would make it so when you copy the keytabs, they would not stomp over
> each other if they end up in the same directory.
That works for me.
> So my preference is for option 1 and option 2, where option 1 applies to uid
> != 0 and option 2 applies to uid = 0. Thoughts?
>
> Is the file format for client (initiator) vs acceptor keytabs fundamentally
> different? Is that why the .clkeytab extension is used? If so, I'm back on
> board with .clkeytab (instead of .client.keytab). In fact, I think that I
> am warming up to .clkeytab regardless.
No, it's the same format. We should not introduce a new file type suffix, IMO.
More information about the krbdev
mailing list