On Fri, Nov 29, 2013 at 12:03:58PM +0100, Martin Kosek wrote: > On 11/29/2013 11:27 AM, Natxo Asenjo wrote: > > hi, > > > > just came accross Erinn Looney-Triggs's excellent writeup on using > > kerberos voor relaying e-mail > > (https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/) > > and have a question. > > > > Would it not be possibly easier to just use the host's keytab > > (/etc/krb5.keytab) instead of just deploying a new service principal > > to every smtp client? > > > > I ask this because I am in the point of deploying something similar > > and would rather not need to have to deploy another set of keytabs > > everywhere unless this is a security malpractice, of course. > > > > TIA, > > -- > > Groeten, > > natxo > > Easier? Yes. More secure? Probably not. > > Kerberos experts may correct me, but from my POV, it is better to separate > these privileges. It postfix works on host/`hostname`@REALM, it could act as a > host identity. For example, attacker could change host's SSH public keys in > FreeIPA host entry in LDAP if it takes control over the mail service. Or it > could unenroll the host entirely from FreeIPA. > > If it run's on own keytab and thus an own identity, it can only act on behalf > it.
yes, reusing keytabs is like giving all users the same password and making them aware of it. bye, Sumit > > Martin > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
