rsync and kerberos

Bacchella Fabrice fabrice.bacchella at
Sat Aug 30 15:09:15 GMT 2008

Le 30 août 08 à 16:33, Simo Sorce a écrit :

> If the permissions on the file is strict and allow access only to the
> respective http and ftp user it means that compromise of one service
> does not allow to get access to the keytab of another service.

Ok, that's me point I missed about that the prefix usage. Thanks.

> You could make the keytab file and principal name configurable.
> Best option is to make the principal name be rsync/ and keep the  
> keytab
> somewhere located where the rest of the rsync daemon configuration  
> files
> are placed, and with permissions on the keytab file to be 400 with
> ownership of the user used to run the rsyncd daemon.

Yes, I do totally agree. But the keytab is a pure kerberos thing, so  
how can it be specified using gssapi ? MIT-Kerberos use environnement  
variable for example.  How do others ?

Anyway I'm OK for changing the service name.

More information about the rsync mailing list