rsync and kerberos
fabrice.bacchella at exalead.com
Sat Aug 30 15:09:15 GMT 2008
Le 30 août 08 à 16:33, Simo Sorce a écrit :
> If the permissions on the file is strict and allow access only to the
> respective http and ftp user it means that compromise of one service
> does not allow to get access to the keytab of another service.
Ok, that's me point I missed about that the prefix usage. Thanks.
> You could make the keytab file and principal name configurable.
> Best option is to make the principal name be rsync/ and keep the
> somewhere located where the rest of the rsync daemon configuration
> are placed, and with permissions on the keytab file to be 400 with
> ownership of the user used to run the rsyncd daemon.
Yes, I do totally agree. But the keytab is a pure kerberos thing, so
how can it be specified using gssapi ? MIT-Kerberos use environnement
variable for example. How do others ?
Anyway I'm OK for changing the service name.
More information about the rsync