[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting tickets for boot scripts

> 4.16 Providing Kerberos credentials to servers and programs
> ===========================================================
> Some service require Kerberos credentials when they start to make
> connections to other services or use them when they have started.
> The easiest way to get ticket for the a service is to store the key in
> a keytab. Both ktutil get and kadmin ext can be used to get a keytab.
> ktutil get is better in that way it changes the key/password for the
> user. This the problem with the ktutil. It ktutil is used for the same
> service principal on several hosts, they keytab will only useful on the
> last host. In that case, run the command on host and copy the keytab
> around to all other hosts that needs it.
>      host# ktutil -k /etc/krb5-service.keytab \
>            get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
>      lha/admin@EXAMPLE.ORG's Password:
> To get a Kerberos credential file for the service, use kinit in the
> -keytab mode, this will not ask for a password but rather that the key
> From the keytab.
>      service@host$ kinit --cache=/var/run/service_krb5_cache \
>                     --keytab=/etc/krb5-service.keytab \
>             service-principal@EXAMPLE.ORG
> Long running services might need credentials longer then the expiration
> time of the tickets. kinit can run in a mode that refreshes the tickets
> before the expire. This is useful for services that write into AFS and
> other distributed file systems using Kerberos.
>      service@host$ kinit --cache=/var/run/service_krb5_cache \
>                     --keytab=/etc/krb5-service.keytab \
>             service-principal@EXAMPLE.ORG script-to-start-service

OK I'm looking at this again, and let me see if I have it straight
I have a pgsql service key postgres/host.example.com@EXAMPLE.COM
a user pgsnorter@EXAMPLE.COM

I export into the keytab, among other things like ssh principles, the postgres 
principle. That keytab goes to every server since its used for all of those 
services. Then I create another one with kutil that has pgsnorter@EXAMPLE.COM 
and I distribute that to my snort sensors. Then I start snort with 
kinit --cache /path/to/somewhere --keytab=[path to keytab with pgsnorter in 
it] pgsnorter@EXAMPLE.COM /etc/rc.d/snort.sh

Or did I read something wrong. Should I just have the one keytab that has 
everything and distribute that everywhere, or create some that don't have the 
pgsnorter principal in it and then create another that has pgsnorter and 
distribute that to just the snort sensors? I don't want to have systems that 
don't need access to the database to have it.