[4485] in Kerberos
Re: Service Key file distribution
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Thu Jan 12 09:37:13 1995
To: kerberos@MIT.EDU
Date: Thu, 12 Jan 1995 08:48:18
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
bbutton@netcom.com (Brian Button) writes:
>In this environment, it seems that we will be relying heavily on the
>/etc/v5srvtab file on each workstation to provide the clients and
>servers their private encryption key, so they can decrypt tickets
>returned from the AS. (Don't these clients and servers have to run
>setuid root to be able to read the protected /etc/v5srvtab file?)
Unless the client machines support some form of inbound service requiring
Kerberos authentication (i.e., if you intend to allow users to telnet,
rlogin, ftp etc. to client machines), you don't need srvtab files on
the client machines. Instead, your users get tickets via kinit (or
you can roll the kinit functionality into your login program), and the
ticket files are owned by the user - no need for setuid in client programs.
(The server-side programs - telnetd, klogind, etc. - tend to run as root
anyways, so srvtab file access isn't an issue for them either.)
Putting srvtab files only where they're needed (on application server
machines) should simplify the srvtab file distribution issue somewhat...
-Shawn Mamros
E-mail to: mamros@ftp.com
