Charles Hedrick <hedr...@rutgers.edu> writes: > The argument makes sense.
> However I am disturbed by the fact that a keytab can be used > anywhere. If someone manages to become root on one machine, I’d like > them not to be able to do things on other machines. I’m in an > environment where we have systems administered by users, and unattended > public workstations. > That makes me unwilling to tell users to create key tables for cron > jobs. Yeah, if you're worried about portable keys, that's when you probably want to do something with a system TPM. If you go down that path, I'd probably try to figure out some way to do PKINIT using a TLS certificate stored in the TPM. I'm not aware of anyone who has already done that work, but it would be a pretty interesting project. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos