[28695] in Kerberos
Re: Question on security of keytab file.
daemon@ATHENA.MIT.EDU (John Hascall)
Thu Nov 8 15:56:48 2007
To: Priya Govindarajan <govindap@us.ibm.com>
In-reply-to: Your message of Thu, 08 Nov 2007 12:01:05 -0800.
<OF6F96A380.A271D997-ON8725738D.006C0759-8825738D.006DEC7E@us.ibm.com>
Date: Thu, 08 Nov 2007 14:50:54 CST
Message-ID: <19337.1194555054@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> The question is while providing support for a service to be a kerberized
> service -
> what are the security issues/advantages by providing the option for the
> user to have individual keytab file (can be different from
> /etc/krb5.keytab and holds the key of that particular service) for the
> kerberized service Vs using the default keytab file (/etc/krb5.keytab).
>
> Is it necessary to have seperate keytab file for the kerberized service
> different from the default keytab file (/etc/krb5.keytab for linux) ? i.e
> does it provide any more security that already root only access
> /etc/krb5.keytab.
One time when you may want/need to use a keytab file
other than /etc/krb5.keytab is if the service runs
as a user other than root -- although a lot of times
running as a different user is coupled with running
in a chroot-jail so the file can still be known to
the application as /etc/krb5.keytab -- for example,
from one of my servers
vs-1# ls -l /var/chroot/accessd/etc/krb5.keytab
-r-------- 1 accessd accessd 137 Oct 30 11:47 /var/chroot/accessd/etc/krb5.keytab
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
