[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kcm and pkinit problem

To: heimdal-discuss@sics.se, Björn Schlögl <mastamind@quantentunnel.de>
Subject: Re: kcm and pkinit problem
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 25 Mar 2008 13:02:07 +0100
In-Reply-To: <200803250410.20010.mastamind@quantentunnel.de>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <200803250410.20010.mastamind@quantentunnel.de>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>


25 mar 2008 kl. 04.10 skrev Björn Schlögl:

> Hi!
>
> I try to build heimdal 1.1 without pkinit support by using --disable- 
> pk-init,
> but it seems that the patch attached to this mail is necessary to  
> prevent the
> following compilation error from occurring:

Commited your patch, thanks.

> Additionally, I would like to have some information about using kcm  
> to store
> the credentials in. If I set default_cc_name in [libdefaults] in  
> krb5.conf to
> KCM:%{uid}, kinit will fail with:
>
> kinit: krb5_cc_move: kcm_move not implemented

Implemented kcm_move, will write tests later today.

> Some questions:
> Is it recommended to prefer kcm over files in /tmp to store the  
> credentials?
> I personally prefer running servers in chroot and not as root, but  
> none of the
> servers in heimdal support either although none needs root  
> privileges. Would
> you be interested to have such support? In that case I could write  
> patches
> for that.

There is such patch already for the KDC.

https://roundup.it.su.se/jira/browse/HEIMDAL-11

Running the KDC as non root is not itself very intresting for me since  
the root vs non-root question is not every interesting if the non-root  
user can still read the whole kerberos database. The split needs to be  
done inside the KDC too, the part that handles the key data and the  
part that handles the protocol request. Sure, the attacker can get  
hold of the protocol part and issue itself a very long lived ticket,  
but the keys for the users are all still safe.

Love

References:
- kcm and pkinit problem
  - From: =?utf-8?q?Bj=C3=B6rn_Schl=C3=B6gl?= <mastamind@quantentunnel.de>

Prev by Date: kcm and pkinit problem
Next by Date: Re: Small hiccup in the test suite
Prev by thread: kcm and pkinit problem
Next by thread: Ticket cache file
Index(es):
- Date
- Thread