[39046] in Kerberos
Re: Debugging why KRB5_KTNAME isn't working
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jan 27 13:45:21 2022
To: "Brian J. Murrell" <brian@interlinx.bc.ca>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <786a0a7b-2d3c-f016-a32c-c8e8c21f7a6c@mit.edu>
Date: Thu, 27 Jan 2022 13:41:38 -0500
MIME-Version: 1.0
In-Reply-To: <4f4a71e295df1a7aa4e53475af50164af7cbe86a.camel@interlinx.bc.ca>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 1/27/22 12:01 PM, Brian J. Murrell wrote:
> I am trying to debug why having KRB5_KTNAME set in the environment of a
> process is not actually making that process use that keytab file but
> instead is using the default /etc/krb5.keytab.
There are three possible reasons why environment variables might be
ignored. First, Postfix might be asking for a secure krb5 context
(krb5_init_secure_context()). Second (and I think the most likely), the
process may be running with elevated privilege as determined by
secure_getenv(). A setuid or setgid bit on the executable could be
enough to trigger this. Third, as Ken suggested, the program might
clean up its own environment.
If any of these are true, then you have limited options to affect the
program behavior from outside of the process. You can change the
default keytab location in /etc/krb5.conf, but that would be global (and
of course you can't point the program at a different config file via
environment variable because those are ignored).
Of course, the program itself can provide configuration for the keytab
file. I couldn't find any gss_ or krb5_ calls in the Postfix source
code (looking at Viktor Dukhovni's git mirror), so I don't have any
immediate insight as to whether that's currently possible or what would
need to change.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
