[19163] in Kerberos
Re: Keytabs in Kerberos
daemon@ATHENA.MIT.EDU (Dr. Greg Wettstein)
Fri May 2 09:27:25 2003
Message-Id: <200305021326.h42DQFBx004731@wind.enjellic.com>
From: greg@wind.enjellic.com (Dr. Greg Wettstein)
Date: Fri, 2 May 2003 08:26:15 -0500
In-Reply-To: Ken Raeburn <raeburn@mit.edu>
"Re: Keytabs in Kerberos" (May 1, 5:40pm)
To: Ken Raeburn <raeburn@mit.edu>, kerberos@mit.edu
Reply-To: greg@enjellic.com
Errors-To: kerberos-bounces@mit.edu
On May 1, 5:40pm, Ken Raeburn wrote:
} Subject: Re: Keytabs in Kerberos
> That's something that I think should be made configurable someday,
> without requiring environment variables or anything like that just to
> be able to run a server as a non-root user. I'm not sure how it should
> be set up though. Perhaps some data in krb5.conf mapping the
> principal name to the keytab name, like:
>
> [libdefaults]
> keytabs = {
> host/* = KEYTAB:/etc/krb5.keytab
> ftp/* = KEYTAB:/etc/ftp.keytab
> imap/* = KEYTAB:/etc/imapd/keytab
> pop/* = SRVTAB:/etc/pop.srvtab
> */* = KEYTAB:/etc/krb5.keytab
> * = KEYTAB:~/.k5keytab
> }
>
> Just an idea....
Actually a great idea, would the core team accept patches if they were
to be worked up?
The Hurderos Project is facing a similar problem with keytabs. The
service identities need the keytab entry both for authentication
purposes as well as for generating the authorization identity.
I was worried about this issue from a security perspective since some
of the applications which needed to carry out authentication and
authorization were non-root processes. The ability for an application
to have their own keytab would enable the keys to be partitioned
according to application and or security requirements.
> Ken
Greg
}-- End of excerpt from Ken Raeburn
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-4950 WWW: http://www.enjellic.com
FAX: 701-281-3949 EMAIL: greg@enjellic.com
------------------------------------------------------------------------------
"There are two things that are infinite; Human stupidity and the
universe. And I'm not sure about the universe."
-- Albert Einstein
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
