[4469] in Kerberos
Service Key file distribution
daemon@ATHENA.MIT.EDU (Brian Button)
Tue Jan 10 09:49:24 1995
To: kerberos@MIT.EDU
Date: Tue, 10 Jan 1995 14:11:36 GMT
From: bbutton@netcom.com (Brian Button)
I have a question about distribution of the /etc/v5srvtab file. My
current project involved a hybrid kerberos/homegrown-CM system, where
the CM system has total responsibility for configuring the OS, logging
in the users, and downloading only those programs that the logged user
has a right to use. Kerberos, as has been dictated by management,
is only to be used to prevent spoofing and replaying of messages.
In this environment, it seems that we will be relying heavily on the
/etc/v5srvtab file on each workstation to provide the clients and
servers their private encryption key, so they can decrypt tickets
returned from the AS. (Don't these clients and servers have to run
setuid root to be able to read the protected /etc/v5srvtab file?)
The question that I have involves the administration problem of
distributing the v5srvtab file to 200 or more workstations scattered
throughout the site. Is there another way to do this safely, rather
than carry around a floppy to each of the machines. This is
impractical, because most of the machines do not have floppy drives on
them, this being a secure network.
One idea that has been advanced is to use PGP to encrypt the files,
and have root login on each of the workstations, decrypt the files
using the appropriate key, and install the file into its proper
location. Does this seem safe?
Thanks for any advice,
bab
--
--
Brian Button email: bbutton@netcom.com, bbutton@hti.net
Houston, TX
"Always mount a scratch monkey"
