> The question is while providing support for a service to be a kerberized > service - > what are the security issues/advantages by providing the option for the > user to have individual keytab file (can be different from > /etc/krb5.keytab and holds the key of that particular service) for the > kerberized service Vs using the default keytab file (/etc/krb5.keytab). > > Is it necessary to have seperate keytab file for the kerberized service > different from the default keytab file (/etc/krb5.keytab for linux) ? i.e > does it provide any more security that already root only access > /etc/krb5.keytab.
One time when you may want/need to use a keytab file other than /etc/krb5.keytab is if the service runs as a user other than root -- although a lot of times running as a different user is coupled with running in a chroot-jail so the file can still be known to the application as /etc/krb5.keytab -- for example, from one of my servers vs-1# ls -l /var/chroot/accessd/etc/krb5.keytab -r-------- 1 accessd accessd 137 Oct 30 11:47 /var/chroot/accessd/etc/krb5.keytab John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
