On Thu, May 15, 2008 at 08:58:52AM -0700, Scott Rotondo wrote:
> I'm thinking that one of the following is probably true now:
>
> 1. We no longer care about roles acting as NIS+ principals [NIS+? What's
> that?] and we have no other situation where a credential is generated
> from the login password.
Well, no, because the same consideration applies to Kerberos V as did to
DH credentials (speaking of which, when NIS+ goes away we'll still have
mech_dh to kick around).
> 2. If #1 is not true, we can store the role's credential (in the role's
> home directory, for example) so that it can be accessed only by the role
Yes. In krb5 speak we'd keep them in a keytab, but not in a home
directory since it might not be local and might require those self-same
credentials to access.
> account. In general, this solution doesn't work for NIS+ credentials
> because superuser access on a client machine would override file
> permissions. Of course, one could administratively arrange for the file
> containing the credential to be NFS-mounted from a server that does not
> grant superuser access to remote clients.
Roles that need network authentication credentials will need
per-{role,host} credentials.
Nico
--
