a suggestion for reducing use of kdc.conf

Will Fiveash will.fiveash at oracle.com
Tue May 7 13:46:26 EDT 2013

On Tue, May 07, 2013 at 11:53:51AM -0500, Nico Williams wrote:
> On Tue, May 7, 2013 at 7:47 AM, Nathaniel McCallum
> <npmccallum at redhat.com> wrote:
> > Yes, but you would have a potential weakness if you placed your RADIUS
> > secrets in a world-readable file.
> Huh?  Noooo, no passwords/secrets in config files please.  The config
> file should name a file where the secret(s) is(are) kept, which file
> then can be made sure to be mode 0600 and handled (e.g., w.r.t.
> backups, replication, ..., like any other file that contains sensitive
> data.  And if there's any way to abuse keytabs (heh) for this, go for
> it.

And there should be a default path to the secrets file so the admin
doesn't have to specify where the file is located, something like the
key_stash_file parameter.

> (This is a big deal at Sun^H^H^HOracle, in Solaris engineering and at
> PSARC.  Or used to be.)

Still a big deal.  8^)

Will Fiveash
Oracle Solaris Software Engineer

More information about the krbdev mailing list