a suggestion for reducing use of kdc.conf
Will Fiveash
will.fiveash at oracle.com
Tue May 7 18:55:18 EDT 2013
On Tue, May 07, 2013 at 04:22:25PM -0500, Nico Williams wrote:
> On Tue, May 7, 2013 at 3:38 PM, Greg Hudson <ghudson at mit.edu> wrote:
> > Keep in mind that krb5.conf supports include directives now.
>
> Right, but I'm not sure that that would be enough to mollify PSARC. I
> guess they might be OK if Will sets up defaults and documentation such
> that users don't end up including secrets in krb5.conf or kdc.conf
> unless they really mean to, but... then there's MIT's docs as well.
>
> I'd like you to buy into the principle in question, rather than see
> this as something that a weirdo distro/vendor wants. I personally
> agree with that principle -- I'm not carrying PSARC's water.
I'm confused at this point. If we are talking about parameters like
key_stash_file in k*.conf files which provide a non-default path to a
protected file that contain secret/private data then that's not a
problem. If we are talking about k*.conf parameters that allow the
admin to store secrets in the k*.conf file itself then that's a problem.
Can someone provide more detail?
--
Will Fiveash
Oracle Solaris Software Engineer
More information about the krbdev
mailing list