>if [ ! $guard-against-system-accounts ]; then > export KRB5CCNAME=/path/to/cache-depending-on-$(id -u)
I understand that with newer version of systemd this is becoming more common ... but can I offer up a cautionary tale? We have been using Kerberos for a LONG time; over 20 years. We are by no means the oldest Kerberos users, but we've been around for a good while and I've worked with large, diverse deployments. A long time ago we ran into issues with widespread Kerberos ticket theft from attackers, due to the quite-common usage at that time of Kerberos tickets being stored in files. The only countermeasure we were able to develop was to completely move away from Kerberos tickes being stored in files to IPC-based Kerberos credential caches that had basically the same inheritance mechanism as AFS PAGs. I wrote a custom credential cache mechanism that was portable across Unix platforms that did this, but in more recent years the availability of KEYRING on Linux and API on MacOS X has made my credential cache obsolete, for which I am glad. Obviously everyone needs to decide where they live on the security/usability graph, but I would personally NEVER, EVER, in a million years go back to file-based credential caches. And in our experience, this hasn't been necessary, at least not for 20 years. That does come with the heavy caveat that we do not use any user-based systemd services. I'd rather develop some alternative to that than go backwards in security, because issues with ticket theft are real and I think it's only a matter of time before it becomes a larger issue. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
