Keytab-based initiator creds design
Nico Williams
nico at cryptonector.com
Fri Jun 8 12:21:31 EDT 2012
On Fri, Jun 8, 2012 at 10:41 AM, Greg Hudson <ghudson at mit.edu> wrote:
> From discussion, I think the main thing Nico is trying to achieve, relative
> to my proposal, is to minimize the need for environment variables in the
> cases where (1) each daemon is running with a separate uid (and therefore
> needs a separate keytab), or (2) the configuration requires per-session
> client keytabs and/or client ccaches. There may be simpler ways to achieve
> at least (1), such as parameterizing the default_keytab_name profile
> variable.
Yes, I am opposed to the use of environment variables as the primary,
much less only, configuration mechanism for something. I'm very much
opposed to the KRB5_KEYTAB_PRINCIPAL environment variable being
required for this to work.
I explained at length on #krbdev what makes environment variables
evil, which boils down to their being very difficult to observe, and
even more difficult to change, from outside the process of interest.
Nico
--
More information about the krbdev
mailing list