On 01/02/11 12:40 +0000, Brian Candler wrote:
You might be able to get some ideas from here: http://mailman.mit.edu/pipermail/kerberos/2011-January/016989.html
You should bear in mind that ultimately you're going to have some sort of "password" stored in a file somewhere on the client machine - whether it be a Kerberos keytab, or the private key for a TLS certificate, or something else. Anyone who has root on the client box will be able to use those credentials.
Yes, but you can protect the keytab file from the service making the LDAP client connection, so that a particular service getting compromised does not obtain access to the keytab file.
If a service were to be compromised then the attacker would have access to the server for the remainder of the life of the kerberos tgt only.
We do the following in root's crontab for all of our services running on remote servers (heimdal-kcm might be another option):
0 */1 * * * ( KRB5CCNAME=FILE:/tmp/krb5cc_33 kinit --keytab=/etc/krb5.keytab-HTTP HTTP/lokai.example.net ; chown www-data:www-data /tmp/krb5cc_33 )
And for services running on the same system, EXTERNAL over ldapi is ideal.