On 7/21/2017 11:13 AM, Charles Hedrick wrote: > The argument makes sense. > > However I am disturbed by the fact that a keytab can be used anywhere. If > someone manages to become root on one machine, I’d like them not to be able > to do things on other machines. I’m in an environment where we have systems > administered by users, and unattended public workstations. > > That makes me unwilling to tell users to create key tables for cron jobs.
Sites have implemented a wide variety of approaches to authenticating cron jobs. The cron process is specific to a host and is not the user. As such some sites provide tooling that issues host specific principals for such use with cron: user/cron/hostname@REALM is a common format. It is then up to the service receiving such a principal to ensure that the authenticating client is in fact connecting from the specified host. Authorization rules can be applied as desired to either grant specific permissions to user/cron/hostname@REALM user/cron/*@REALM user/*/*@REALM with appropriate name folding. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos