rsync and kerberos

Simo Sorce ssorce at redhat.com
Sat Aug 30 14:33:16 GMT 2008 

They are used to identify a specific service on a machine.
using a different prefix you end up with a different principal name.
For example: HTTP/www.example.com at EXAMPLE.COM and
FTP/www.example.com at EXAMPLE.COM

Different principal names means different kerberos secrets, and the
possibility to use different kerberos keytabs like:
/etc/httpd/http.keytab and /etc/ftp/ftp.keytab

If the permissions on the file is strict and allow access only to the
respective http and ftp user it means that compromise of one service
does not allow to get access to the keytab of another service.

The host/fqdn at REALM keytab is used to identify the host. The 2 services
that use it are usually SSH and pam_krb5 (to double check the KDC is
legitimate).

The first part is totally arbitrary so you can freely choose to use
rsync/ or maybe RSYNC/.
You could make the keytab file and principal name configurable.
Best option is to make the principal name be rsync/ and keep the keytab
somewhere located where the rest of the rsync daemon configuration files
are placed, and with permissions on the keytab file to be 400 with
ownership of the user used to run the rsyncd daemon.

If you make the principal configurable the client too will need a way to
specify the principal name or at the very least the service prefix.

Simo.


On Sat, 2008-08-30 at 12:27 +0200, Bacchella Fabrice wrote:
> Ok, that's really a question for which I have no answer. Do you have  
> any links that explain the purpose of host/ nfs/ and all ? I don't see  
> exactly what are there for.
> 
> 
> Le 30 août 08 à 07:00, Simo Sorce a écrit :
> 
> > Reading your patch, one quick comment.
> >
> > It seem to me you define host/ in RSYNC_GSS_SERVICE, wouldn't it be
> > better to have an rsync specific service principal like:
> > rsync/full.host.name at REALM ?
> >
> > The host principal should not be abused and it is good practice to  
> > have
> > your own service (and therefore a separate keytab/secret for separate
> > services).
> >
> > HTTP, FTP, NFS, etc...  they all use their own service principal.
> >
> > Simo.
> >
> > On Sat, 2008-08-30 at 05:29 +0200, Bacchella Fabrice wrote:
> >> Indeed. Thanks for the type about git.
> >>
> >> The diffs against 3.0.3 & git :
> >>
> >>
> >>
> >>
> >> Le 30 août 08 à 01:02, Matt McCutchen a écrit :
> >>
> >>> On Fri, 2008-08-29 at 18:50 +0200, Bacchella Fabrice wrote:
> >>>> Still working on my gss patch.
> >>>
> >>> Please remember to attach the updated patch!
> >>>
> >>> To generate a single diff, you can "git add" the files you added/
> >>> changed
> >>> and then run "git diff HEAD".  You could also look into  
> >>> maintaining a
> >>> git repository containing your change on the Web.
> >>>
> >>> Matt
> >>
> >> -- 
> >> Please use reply-all for most replies to avoid omitting the mailing  
> >> list.
> >> To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
> >> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
> > -- 
> > Simo Sorce * Red Hat, Inc * New York
> >
> 
-- 
Simo Sorce * Red Hat, Inc * New York

More information about the rsync mailing list