[15582] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Creating GSSAPI initiate credential using

daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Mar 10 15:06:43 2010

From: Russ Allbery <rra@stanford.edu>
To: "krbdev\@MIT.EDU" <krbdev@mit.edu>
In-Reply-To: <20100310195111.GQ24640@Sun.COM> (Nicolas Williams's message of
	"Wed, 10 Mar 2010 13:51:12 -0600")
Date: Wed, 10 Mar 2010 12:06:40 -0800
Message-ID: <87hboogcvj.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Nicolas Williams <Nicolas.Williams@sun.com> writes:

> But we're talking about _user_ content, not system content.

Ah, I see, you said persistent user keytabs and I missed the user (or,
rather, interpreted it to mean application users used for privilege
separation by the system administrator, not regular login users).

> Such contents is best placed in $HOME, but then you get into a catch-22
> if you need [fresh] credentials to access $HOME, and, of course, you'd
> want to encrypt such credentials in case they are not confidentiality-
> protected on the wire.  It's easier to use local storage, and /var seems
> right for that.  Personally, I'd disallow persistent user keytabs and go
> with /var/run only as a matter of _policy_, but I think the system
> should support persistent user keytabs as well.

I agree that the waters are muddier if one is talking about general shell
users creating keytabs for their personal use.  I would still create
per-user directories in /etc for this, personally, but I think the FHS
would accept either answer.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post