Keytab-based initiator creds design

[Simo Sorce]

On Thu, 2012-06-07 at 14:23 -0500, Nico Williams wrote:
> On Thu, Jun 7, 2012 at 1:56 PM, Simo Sorce <simo at redhat.com> wrote:
> > In Fedora we are already moving the ccache to a standard place in /run,
> > and it is non persistent as that filesystem is a tmpfs.
> >
> > So I think I like this proposal, it aligns well with what we are already
> > trying to do there.
> 
> I know.  I had your use case and ones I had in my Solaris days in mind.
> 
> > The /run location should be /run/user/$USER/krb5/ccache though as that
> > is where the various pam modules put stuff
> 
> Ideally this could be ./configured, no?

Usually variable directory names are not easy to configure
via ./configure, but sure I am all for it.

> > For the permanent location (for keytab and
> > default_principal) /var/lib/krb5/user/$USER or similar would probably be
> > ok.
> 
> Actually, /var/spool/krb5/... no?

I am not picky, whatever FHS/distributions wants as long as it is
configurable in ./configure (easier because we do not need to add
post-fixes to the variable part here).

> > Should we allow symlinks in the permanent location ?
> 
> Sure, why not.  If some daemon must use the same keytab as
> /etc/krb5.keytab, why make the admin have to maintain a copy?  But if
> there's an issue with gss proxy daemon...  -- is that what you're
> concerned about?

No, I am not concerned too about that case, as I can always override
there, it depends on who owns the directories/files I guess..

> > What about default principal ?
> 
> I'd say put it in a separate file.  But if it's not there then use the
> princ of the first keytab entry.

So it is only to be able to use a specific principal if the keytab
happens to hold keys for multiple principals.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York