a suggestion for reducing use of kdc.conf
Nico Williams
nico at cryptonector.com
Tue May 7 17:29:40 EDT 2013
ALSO, historically kdc.conf hasn't required 0600 permissions, and
neither has krb5.conf. Changing this is going to create problems.
File permission mgmt, backups, ... -- these things motivate the
principle that secrets need to be stored separately from
configuration. OpenSSH doesn't store private keys in sshd_config --
it could have, but didn't, probably because that would have been
unwieldy, but that's just one of the problems secrets in config files
cause.
A related point is that IMO you should move to as close to a zero-conf
world as possible (where empty/missing configs result in reasonable
default behavior. For example, krb5kdc and such could discover realm
names and such things from the KDB found at the default location.
Putting secrets in kdc.conf, or having to specify the name of a file
in kdc.conf where they are complicates zero/minimal-conf, whereas a
default location for the RADIUS/OTP/whatever secrets works better.
The downside (there is one) is that admins have to know about one more
file. It's a worthwhile trade-off.
Nico
--
More information about the krbdev
mailing list