[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: SASL/GSSAPI keytab location [Virus checked]





--On Friday, April 02, 2004 8:49 PM -0500 Diego Julian Remolina <dijuremo@math.gatech.edu> wrote:

You can set the kerberos keytab location with the environment variable:
KRB5_KTNAME

for tcsh:
setenv KRB5_KTNAME /path/to/keytab
for bash:
export KRB5_KTNAME=/path/to/keytab

Since kerberos is the one using the keytabs to obtain the tickets, then
your kerberos distro decides where to look the keytab by default.  We use
solaris and it needs the host/fqdn keytab for things other than ldap.  So
our krb5.keytab is only readable by root and has keys for ldap/fqdn and
host/fqdn.

You do not usually give keytabs to other persons.  They keytab file should
only be readable by root.  That is the exact equivalent of /etc/shadow.
If someone gets root on your machine they own it all.  So having a keytab
owned and readable only by root is not a security risk. Actually I do have
another keytab that has my rootdn keys.  I use it to add/remove/modify
ldap entries.  Nobody even knows the password for my rootdn since it was
randomly generated and stored in a keytab (not even myself).  The only way
to add/remove/modify entries in my ldap server is as root with
slapadd offline; or as root in the right machine that has the rootdn
keytab and can obtain a ticket from the kerberos server and use
ldapadd/ldapmodify/ldapdelete.

Diego


I know all this, why are you sending it to me? ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html