On Thu, 2008-05-15 at 08:58 -0700, Scott Rotondo wrote: > 1. We no longer care about roles acting as NIS+ principals [NIS+? What's > that?] and we have no other situation where a credential is generated > from the login password.
The latter half of #1 is false; kerberos uses the login password as part of acquiring network credentials. > 2. If #1 is not true, we can store the role's credential (in the role's > home directory, for example) so that it can be accessed only by the role > account. In general, this solution doesn't work for NIS+ credentials > because superuser access on a client machine would override file > permissions. Of course, one could administratively arrange for the file > containing the credential to be NFS-mounted from a server that does not > grant superuser access to remote clients. This doesn't work for kerberos because its credentials are perishable.
