tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Going LDAP #2
Thor Lancelot Simon wrote:
> On Sat, Jun 28, 2008 at 09:53:13PM +0200, Anders Magnusson wrote:
>> Erik Berls wrote:
>>> On Wed, Jun 18, 2008 at 11:54 AM, Anders Magnusson
>>> <ragge%ludd.ltu.se@localhost> wrote:
>>>> Thor Lancelot Simon wrote:
>>>>> On Mon, May 26, 2008 at 08:01:54PM +0200, Anders Magnusson wrote:
>>>>>
>>>>>> xxinit -c (client)
>>>>>> - Asks about the master machine and root password for it.
>>>>>> This will get the configuration for the domain out
>>>>>> of ldap and fetch a machine key.
>>>>>>
>>>>> What is the "it" here? If "it" means the master machine, so the LDAP
>>>>> server and KDC's root password would have to be entered into each client
>>>>> when that client is initialized, I really, *really* don't like this.
>>>>>
>>>> This should be read "principal that can extract a host keytab" for the
>>>> client.
>>>> Which may or may not be root, depending of how the system is configured.
>>> Can we make it really, really difficult to be root? This seems like a
>>> pretty easy default to set as non-root (and document as such). Am I
>>> missing something?
>>>
>> No, but I think that whether or not to use the root account to fetch
>> machine keys etc. should be left as a decision by the administrator.
>
> I think that this is all quite architecturally wrong. It should not be
> done by pull -- much less by pull *as root* from the KDC -- it should be
> done by push.
>
Eh, are you complaining about how Kerberos works, or what?
-- R
Home |
Main Index |
Thread Index |
Old Index