On 24 Sep 2010, at 18:59, Henry B. Hotz wrote: > Best practice is to *NOT* use the system default keytab file. Use a > service-specific one. Most services should support configuring the location > of that keytab file.
Right, that makes a lot of sense. > If there's nothing specific to the app, then the SASL libraries have a config > item you can put in the app's SASL config file: > > keytab: <</path/to/keytab>> > > (Of course you'll still need to find where its SASL config file is, which may > require resorting to dtrace.) I will need to add code to the servers to configure a different keytab. > Failing that, you still have an option in GSSAPI and the Kerberos libraries > to set the environment variable KRB5_KTNAME. Set it to the path to the > keytab file. > > Since this is a Sun list, I can point you at > http://docs.sun.com/app/docs/doc/816-4557/sasl-1?a=view for more detail on > SASL. I'm using our own build of the CMU libsasl2 library and plugins. I'm not sure how our version differs from Sun's, but some of of the options look kind of familiar :-) Thanks for the hints! Cheers, Chris _______________________________________________ security-discuss mailing list [email protected]
