[1391] in Kerberos_V5_Development
Re: keytab editing
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Mon Jul 15 14:26:40 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Mon, 15 Jul 1996 12:08:12 EDT."
<9607151608.AA13769@DUN-DUN-NOODLES.MIT.EDU>
Date: Mon, 15 Jul 1996 14:26:33 EDT
From: Marc Horowitz <marc@MIT.EDU>
In message <9607151608.AA13769@DUN-DUN-NOODLES.MIT.EDU>, "Barry Jaspan" <bjaspan@MIT.EDU> writes:
>> First note: kadm5_keytab is obsolete. I ported it, and it works, but
>> I also add exactly the same functionality to the kadmin cli with the
>> ktadd and ktremove commands. I don't see any reason that a separate
>> keytab editor should continue to exist.
I don't see a replacement for kadm5_keytab -change in kadmin.
>> kadmin (and kadm5_keytab, for that matter) set the default keytab to
>> WRFILE:/etc/v5srvtab.
This is wrong. The default keytab for kadm5_keytab (and the kt
commands in kadmin) should be the same as everywhere else, namely,
$KRB5_KTNAME, or the compiled-in global default. Remember, no
hard-coded pathnames. This is what causes the problem. (It strikes
me that the default keytab name should be specifiable in krb5.conf,
too, but that's a separate discussion.)
>> I think the reason FILE and WRFILE exist is so that most apps can use
>> FILE and be sure they do not accidentally modify the keytab, even if
>> they have OS permission to do so. I don't think keytabs are so
>> critical that this is important, but we should explcitly decided that
>> before removing the distinction and leaving it up only to OS
>> permissions.
Well, then lets explicitly decide this. I think it's a stupid idea.
If someone wants to propose FILE and RDFILE, with FILE the default, I
could probably live with that.
>> Another possible idea is to create a new virtual type, DEF (and WRDEF
>> if we keep that distinction) that specifies whether the keytab is
>> writeable but also specifies that the default type (currently FILE (or
>> WRFILE)) should be used. I'm not clear what this buys us, though.
It buys us nothing. What follows the : for DEF? A filename? Doesn't
make much sense if the keytab isn't in the filesystem.
Marc
