[15582] in Kerberos_V5_Development
Re: Creating GSSAPI initiate credential using
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Mar 10 15:06:43 2010
From: Russ Allbery <rra@stanford.edu>
To: "krbdev\@MIT.EDU" <krbdev@mit.edu>
In-Reply-To: <20100310195111.GQ24640@Sun.COM> (Nicolas Williams's message of
"Wed, 10 Mar 2010 13:51:12 -0600")
Date: Wed, 10 Mar 2010 12:06:40 -0800
Message-ID: <87hboogcvj.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@sun.com> writes:
> But we're talking about _user_ content, not system content.
Ah, I see, you said persistent user keytabs and I missed the user (or,
rather, interpreted it to mean application users used for privilege
separation by the system administrator, not regular login users).
> Such contents is best placed in $HOME, but then you get into a catch-22
> if you need [fresh] credentials to access $HOME, and, of course, you'd
> want to encrypt such credentials in case they are not confidentiality-
> protected on the wire. It's easier to use local storage, and /var seems
> right for that. Personally, I'd disallow persistent user keytabs and go
> with /var/run only as a matter of _policy_, but I think the system
> should support persistent user keytabs as well.
I agree that the waters are muddier if one is talking about general shell
users creating keytabs for their personal use. I would still create
per-user directories in /etc for this, personally, but I think the FHS
would accept either answer.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev