[28696] in Kerberos
Re: Question on security of keytab file.
daemon@ATHENA.MIT.EDU (Roberto =?iso-8859-1?Q?C=2E_S=E1nc)
Thu Nov 8 20:22:02 2007
Date: Thu, 8 Nov 2007 20:21:17 -0500
From: Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= <roberto@connexer.com>
To: kerberos@mit.edu
Message-ID: <20071109012117.GA6302@connexer.com>
MIME-Version: 1.0
In-Reply-To: <19337.1194555054@malison.ait.iastate.edu>
Content-Type: multipart/mixed; boundary="===============0635678534=="
Errors-To: kerberos-bounces@mit.edu
--===============0635678534==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Nov 08, 2007 at 02:50:54PM -0600, John Hascall wrote:
>=20
> One time when you may want/need to use a keytab file
> other than /etc/krb5.keytab is if the service runs
> as a user other than root -- although a lot of times
> running as a different user is coupled with running
> in a chroot-jail so the file can still be known to
> the application as /etc/krb5.keytab -- for example,
> from one of my servers
>=20
> vs-1# ls -l /var/chroot/accessd/etc/krb5.keytab
> -r-------- 1 accessd accessd 137 Oct 30 11:47 /var/chroot/accessd/etc/=
krb5.keytab
>=20
One other thing to point out is that some services expect to have their
own keytab (for the reasons you mentioned). For example, OpenLDAP has
(at least on my Debian servers) a default keytab of
/etc/ldap/ldap.keytab.
Regards,
-Roberto
--=20
Roberto C. S=E1nchez
http://people.connexer.com/~roberto
http://www.connexer.com
--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHM7YN5SXWIKfIlGQRAmwOAJwP/gZnuFPdWE4F+s6pdPB/CWlfwACgxVMg
U/Pg8+0WoUC4lUrLZuWjqew=
=Tyfu
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSgWSk--
--===============0635678534==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0635678534==--
