[HCoop-Discuss] I no longer can make automated backups
Adam Megacz
megacz at hcoop.net
Mon Jul 2 14:22:56 EDT 2007
docelic <docelic at hcoop.net> writes:
> It's worth noting that you can't have both a password and a keytab
> for the same "principal" (username) in Kerberos. Exporting the key
> to a keytab effectively invalidates your password.
BTW, I was the one who originally propagated this information, and it
is actually wrong. Thanks go to cclausen for correcting me on this
(on the kerberos mailing list).
What you can actually do (and I *REALLY* don't recommend this) is
create a keytab that contains your password (run "ktutil" and try
"addent -password"). I'd sort of prefer it if we didn't put this fact
on the wiki, although I guess I can't prevent that.
In effect, a keytab is just a file with a password in it. When we
admins create keytabs with the "ktadd" command, kadmin just generates
a really, really, really long random password and sticks that in the
file (obliterating whatever was formerly in the KDC in the process).
But it's still just a password; technically you could run "kinit" and
type it in by hand.
> Therefore, we have to have two principals in kerberos for each user.
We also do this for another reason: to give people a way to have a
keytab (for automated processes) without that keytab having full
access to the user's account. Any time you put a password/keytab on a
disk anywhere, it's a security risk. By giving users a second
quasi-crippled user.daemon account, we confine this risk to a
sub-account which has far fewer capabilities.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
More information about the HCoop-Discuss
mailing list