a suggestion for reducing use of kdc.conf
Nathaniel McCallum
npmccallum at redhat.com
Thu May 9 11:33:51 EDT 2013
On Wed, 2013-05-08 at 17:10 -0400, Greg Hudson wrote:
> On 05/07/2013 06:55 PM, Will Fiveash wrote:
> > I'm confused at this point. If we are talking about parameters like
> > key_stash_file in k*.conf files which provide a non-default path to a
> > protected file that contain secret/private data then that's not a
> > problem. If we are talking about k*.conf parameters that allow the
> > admin to store secrets in the k*.conf file itself then that's a problem.
> > Can someone provide more detail?
>
> The issue is the "secret" variable in
> http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS (a project which
> has undergone review, but hasn't been merged yet).
>
> Most likely Nico is right, and we should change the variable to hold the
> pathname of a file containing the RADIUS secret.
So long as we can still have the default for the RoUS case, I'm happy.
However, I'm not really having a fan of having any of the RADIUS
configuration globally readable. I like Greg's include idea the best.
Nathaniel
More information about the krbdev
mailing list