On Jun 3, 2007, at 12:43, Russ Allbery wrote: > Yes. Unless I'm missing something, it seems like > krb5_verify_init_creds > could use any key in the keytab (well, provided that there isn't > another > key for the same principal with a later kvno) if no particular > principal > is specified.
At least around MIT, a single key file is often used as the distribution mechanism for all the keys to be used on a host, regardless of whether each service runs as root or not. Obviously keys for non-root services would have to be copied out, but that doesn't mean that the default keytab file won't still have copies of keys available to anyone who compromises a non-root service. So a facility run as root should probably prefer keys most likely to be accessible only to root, namely, the host key. Since most uses of verify_init_creds are probably for actual login access, I think the current behavior is probably the right default. If no host key is present, then maybe using another key makes sense. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
