On Tue, Nov 7, 2017 at 3:31 AM Mikolaj Izdebski <mizde...@redhat.com> wrote:
> On 11/02/2017 06:40 PM, Jonny Heggheim wrote: > > Hi, I started playing with the pass[1] unix password manager and finally > > found workflow that makes my Kerberos workflow scriptable :) > > Or you can simply create a keytab (using ktutil) and run "kinit -k" > without typing password. > > -- > Mikolaj Izdebski > Software Engineer, Red Hat > IRC: mizdebsk > Keytabs can be convenient. However, a password manager usually has the advantage of storing its data encrypted, whereas keytabs are just sitting on disk protected only by file system permissions. That can be overcome if you store the keytab on an encfs FUSE mount, though. But, that might be less convenient than using a password manager. It's all security vs. convenience trade-offs. If you are already using FDE (like LUKS), maybe that's good enough to protect the keytab. One thing is certain: there does not seem to be a shortage of choices on how to manage Kerberos credentials here :)
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
