On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote:
> On 11/29/2013 11:27 AM, Natxo Asenjo wrote:
> > hi,
> > just came accross Erinn Looney-Triggs's excellent writeup on using
> > kerberos voor relaying e-mail
> > (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/)
> > and have a question.
> > Would it not be possibly easier to just use the host's keytab
> > (/etc/krb5.keytab) instead of just deploying a new service principal
> > to every smtp client?
> > I ask this because I am in the point of deploying something similar
> > and would rather not need to have to deploy another set of keytabs
> > everywhere unless this is a security malpractice, of course.
> > TIA,
> > --
> > Groeten,
> > natxo
> Easier? Yes. More secure? Probably not.
> Kerberos experts may correct me, but from my POV, it is better to separate
> these privileges. It postfix works on host/`hostname`@REALM, it could act as a
> host identity. For example, attacker could change host's SSH public keys in
> FreeIPA host entry in LDAP if it takes control over the mail service. Or it
> could unenroll the host entirely from FreeIPA.
> If it run's on own keytab and thus an own identity, it can only act on behalf
yes, reusing keytabs is like giving all users the same password and
making them aware of it.
> Freeipa-users mailing list
Freeipa-users mailing list