Standard keytab location

Rudi Chiarito nutello at sweetness.com
Sun May 22 18:49:23 UTC 2005


Hi,
in the wake of the recent discussion about the location for SSL
certificates, I was wondering about the same regarding Kerberos
keytabs.

The only standard so far is /etc/krb5.keytab. That's the file meant to
contain keys for the local machine. It is readable only by root for
security reasons. Of course this is a problem for server applications
that do not run as root, e.g. httpd. A number of applications provide
means to specify an alternate location for the keytab - quite often
through the KRB5_KTNAME environment variable. The other benefit of
having separate keytab files is that it should reduce risks in case of
a security breach and I think it should make it easier to enforce
policies on keys with the help of SELinux.

Where should these files reside, then? In the application's directory,
when present, such as /etc/httpd/ or /etc/openldap/? Or something like
/etc/httpd/keytab.d? Maybe /etc/keytabs/ or /etc/krb5.keytabs/? The
last two would work for applications that do not use a directory of
their own under /etc.

What should the files be named? Should packages provide RPM ghost files?
Should more than one keytab be supported for a single application? I'm
thinking of Apache vhosts - I don't know yet if mod_auth_kerb will be
able to handle that.

Comments?

--
Rudi




More information about the fedora-devel-list mailing list