Hi, in the wake of the recent discussion about the location for SSL certificates, I was wondering about the same regarding Kerberos keytabs. The only standard so far is /etc/krb5.keytab. That's the file meant to contain keys for the local machine. It is readable only by root for security reasons. Of course this is a problem for server applications that do not run as root, e.g. httpd. A number of applications provide means to specify an alternate location for the keytab - quite often through the KRB5_KTNAME environment variable. The other benefit of having separate keytab files is that it should reduce risks in case of a security breach and I think it should make it easier to enforce policies on keys with the help of SELinux. Where should these files reside, then? In the application's directory, when present, such as /etc/httpd/ or /etc/openldap/? Or something like /etc/httpd/keytab.d? Maybe /etc/keytabs/ or /etc/krb5.keytabs/? The last two would work for applications that do not use a directory of their own under /etc. What should the files be named? Should packages provide RPM ghost files? Should more than one keytab be supported for a single application? I'm thinking of Apache vhosts - I don't know yet if mod_auth_kerb will be able to handle that. Comments? -- Rudi -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
