Keytab-based initiator creds design
Greg Hudson
ghudson at MIT.EDU
Sat Jun 2 21:33:26 EDT 2012
On 06/02/2012 04:51 PM, Simo Sorce wrote:
> Would it make sense to have something in a config file to turn on/off
> this feature ?
> Relying on an environment variable is probably also ok, but I like the
> ability to just set a keytab and not have to worry to change startup
> scripts in order to have env vars properly set.
To avoid needing to set up environment variables, I think we wind up
having to key off the uid or $USER or $HOME. For example, we could have
a krb5.conf variable which determines the keytab and ccache names and
has substitutions for the username. Or we could look for a named keytab
in a specific place under $HOME (and then if we find it, do something to
figure out the ccache and principal name). Or we could have a small
config file under $HOME. Of course these ideas only work if each
service runs as a separate uid--which is usually a good idea, but isn't
universal in practice.
Elsewhere you suggested keying off of argv[0], but libgssapi doesn't
have any portable access to that. And I think it would be very
surprising for argv[0] to affect library behavior without argv being
passed to the library.
More information about the krbdev
mailing list