[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: SASL/GSSAPI keytab location [Virus checked]



You can set the kerberos keytab location with the environment variable:
KRB5_KTNAME

for tcsh:
setenv KRB5_KTNAME /path/to/keytab
for bash:
export KRB5_KTNAME=/path/to/keytab

Since kerberos is the one using the keytabs to obtain the tickets, then
your kerberos distro decides where to look the keytab by default.  We use
solaris and it needs the host/fqdn keytab for things other than ldap.  So
our krb5.keytab is only readable by root and has keys for ldap/fqdn and
host/fqdn.

You do not usually give keytabs to other persons.  They keytab file should
only be readable by root.  That is the exact equivalent of /etc/shadow.
If someone gets root on your machine they own it all.  So having a keytab
owned and readable only by root is not a security risk. Actually I do have
another keytab that has my rootdn keys.  I use it to add/remove/modify
ldap entries.  Nobody even knows the password for my rootdn since it was
randomly generated and stored in a keytab (not even myself).  The only way
to add/remove/modify entries in my ldap server is as root with
slapadd offline; or as root in the right machine that has the rootdn
keytab and can obtain a ticket from the kerberos server and use
ldapadd/ldapmodify/ldapdelete.

Diego

On Thu, 1 Apr 2004, Quanah Gibson-Mount wrote:

>
>
> --On Thursday, April 01, 2004 10:44 AM +0200 denis.havlik@t-mobile.at wrote:
>
>
> >> This is entirely based on how kerberos was configured on the server you
> >> are  using.  I suggest you complain to the person who built the package
> >> for you.  This is not an OL issue.
> >
> > Sorry, but I disagree.
> >
> > The location of a default keytab file is quite irrelevant, simply because
> > this file should not be used in the first place(*). Everyone who uses
> > SASL/GSSAPI with openLDAP should IMO use a keytab file that is owned by
> > ldap, readable only by LDAP, and contains no other keytabs but those
> > needed for LDAP/SASL/GSSAPI.
> > Default keytab file is not suitable for this purpose, and thus we have to
> > define the location of the LDAPs "private" keytab file somewhere.
> >
> > The fact that I can't configure the location of this keyfile in
> > /etc/openldap/slapd.conf is annoying, especially considering the fact
> > that I can configure other sasl-related stuff there.
>
> You can if you use the right environment variables for slapd in your
> startup script.  But those are Kerberos environment variables.
>
> > (*) I'm not a kerberos expert, but AFAIK giving someone a keyfile in
> > kerberised environment is just like giving him a password. Now, imagine a
> > situation when several services run on a machine, and each of them needs
> > a "password" written down in a file. Would you put all passwords in one
> > file, or would you prefer having only the password(s) that one
> > application really needs in a file that is only readable by this
> > application?
>
> You aren't giving someone a keytab.  Of course, I run my slapd as root, but
> I also run trusted boxes. ;)
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Principal Software Developer
> ITSS/TSS/Computing Systems
> ITSS/TSS/Infrastructure Operations
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>