On Tue, Apr 24, 2012 at 09:06:52AM -0400, Jeff Blaine wrote: > > How are people provisioning host principal keytabs in > large quantities? I've never really seen anyone discuss > this. It's not 1988 anymore ;)
I've written some tools that are in use at a couple of places which have reasonably large Kerberos installations. They are open source and available via http://oskt.secure-endpoints.com/ and deal with automating Kerberos management amongst other things. At this point, some of the high level documentation is a little light (i.e. the documentation is in the man pages rather than on the web pages). The tools that are of interest for this problem are krb5_keytab/krb5_admin. They handle host key bootstrapping and service key provisioning. At the moment, I have mainly been using Heimdal so the head of the tree may not quite work on MIT Kerberos but it could be fixed relatively easily as it was all first developed linking against MIT. For host key provisioning, the tools support a two step process where a host will first ask for a randomised bootstrapping key and then use that credential to ask for its host key at a later point after an externally defined process ACLs that bootstrapping key to the hostname in question. The externally defined process is site specific and should include whatever logic makes sense in the site to provide the security assurances that are desired. -- Roland Dowdeswell http://Imrryr.ORG/~elric/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos