Le 30 août 08 à 16:33, Simo Sorce a écrit :
If the permissions on the file is strict and allow access only to the
respective http and ftp user it means that compromise of one service
does not allow to get access to the keytab of another service.
Ok, that's me point I missed about that the prefix usage. Thanks.
You could make the keytab file and principal name configurable.
Best option is to make the principal name be rsync/ and keep the
keytab
somewhere located where the rest of the rsync daemon configuration
files
are placed, and with permissions on the keytab file to be 400 with
ownership of the user used to run the rsyncd daemon.
Yes, I do totally agree. But the keytab is a pure kerberos thing, so
how can it be specified using gssapi ? MIT-Kerberos use environnement
variable for example. How do others ?
Anyway I'm OK for changing the service name.
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
