Russ Allbery <ea...@eyrie.org> writes: > Jerry Shipman <je...@cornell.edu> writes: > >> (I thought about that about 5 minutes after I sent the email — oops.) > >> I guess my question is: does kprop do anything other than: secrecy of >> the data in transmission, integrity of the transmission, kdb5_util >> dump/load ? Or can I really do the same thing in a cron job (or maybe 2, >> one on each end) without missing anything important? I guess I would >> lose out on the possibility of doing incremental propagation. > > You lose incremental propagation, but other than that, I'm pretty sure > kprop/kpropd is just an authenticated copy of a dump and loading it on the > other end.
The existence of kprop as an independent Kerberos-authenticated service probably has its roots in a few historical factors that might no longer be relevant for some deployments. (I could be misremembering some of these.) The krb4 rcp program did not originally provide any encryption of the file contents. Neither did the krb4 rsh program that the rcp program relies on. These were less of a factor for krb5, but kprop remained an independent program anyway. Some particularly cautious operators wanted a minimum amount of attack surface in a program that handles Kerberos database dumps. The rcp program required using rsh, a general-purpose remote shell program. Also, there was not originally a capability to restrict which commands the rsh daemon could execute for a given principal. Having a special-purpose kprop program helps mitigate these risks. This program could also be written to avoid ever invoking a general-purpose shell by hardcoding the names of the programs it runs. The scp and ssh software consist of considerably more code than Kerberos-enabled rcp and rsh, so they have a larger attack surface. You could reasonably decide that this is an acceptable risk in your environment. -Tom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
