a suggestion for reducing use of kdc.conf

Will Fiveash will.fiveash at oracle.com
Tue May 7 18:55:18 EDT 2013

On Tue, May 07, 2013 at 04:22:25PM -0500, Nico Williams wrote:
> On Tue, May 7, 2013 at 3:38 PM, Greg Hudson <ghudson at mit.edu> wrote:
> > Keep in mind that krb5.conf supports include directives now.
> Right, but I'm not sure that that would be enough to mollify PSARC.  I
> guess they might be OK if Will sets up defaults and documentation such
> that users don't end up including secrets in krb5.conf or kdc.conf
> unless they really mean to, but...  then there's MIT's docs as well.
> I'd like you to buy into the principle in question, rather than see
> this as something that a weirdo distro/vendor wants.  I personally
> agree with that principle -- I'm not carrying PSARC's water.

I'm confused at this point.  If we are talking about parameters like
key_stash_file in k*.conf files which provide a non-default path to a
protected file that contain secret/private data then that's not a
problem.  If we are talking about k*.conf parameters that allow the
admin to store secrets in the k*.conf file itself then that's a problem.
Can someone provide more detail?

Will Fiveash
Oracle Solaris Software Engineer

More information about the krbdev mailing list