a suggestion for reducing use of kdc.conf
Will Fiveash
will.fiveash at oracle.com
Tue May 7 13:46:26 EDT 2013
On Tue, May 07, 2013 at 11:53:51AM -0500, Nico Williams wrote:
> On Tue, May 7, 2013 at 7:47 AM, Nathaniel McCallum
> <npmccallum at redhat.com> wrote:
> > Yes, but you would have a potential weakness if you placed your RADIUS
> > secrets in a world-readable file.
>
> Huh? Noooo, no passwords/secrets in config files please. The config
> file should name a file where the secret(s) is(are) kept, which file
> then can be made sure to be mode 0600 and handled (e.g., w.r.t.
> backups, replication, ..., like any other file that contains sensitive
> data. And if there's any way to abuse keytabs (heh) for this, go for
> it.
And there should be a default path to the secrets file so the admin
doesn't have to specify where the file is located, something like the
key_stash_file parameter.
> (This is a big deal at Sun^H^H^HOracle, in Solaris engineering and at
> PSARC. Or used to be.)
Still a big deal. 8^)
--
Will Fiveash
Oracle Solaris Software Engineer
More information about the krbdev
mailing list