They are used to identify a specific service on a machine. using a different prefix you end up with a different principal name. For example: HTTP/[EMAIL PROTECTED] and FTP/[EMAIL PROTECTED]
Different principal names means different kerberos secrets, and the possibility to use different kerberos keytabs like: /etc/httpd/http.keytab and /etc/ftp/ftp.keytab If the permissions on the file is strict and allow access only to the respective http and ftp user it means that compromise of one service does not allow to get access to the keytab of another service. The host/[EMAIL PROTECTED] keytab is used to identify the host. The 2 services that use it are usually SSH and pam_krb5 (to double check the KDC is legitimate). The first part is totally arbitrary so you can freely choose to use rsync/ or maybe RSYNC/. You could make the keytab file and principal name configurable. Best option is to make the principal name be rsync/ and keep the keytab somewhere located where the rest of the rsync daemon configuration files are placed, and with permissions on the keytab file to be 400 with ownership of the user used to run the rsyncd daemon. If you make the principal configurable the client too will need a way to specify the principal name or at the very least the service prefix. Simo. On Sat, 2008-08-30 at 12:27 +0200, Bacchella Fabrice wrote: > Ok, that's really a question for which I have no answer. Do you have > any links that explain the purpose of host/ nfs/ and all ? I don't see > exactly what are there for. > > > Le 30 août 08 à 07:00, Simo Sorce a écrit : > > > Reading your patch, one quick comment. > > > > It seem to me you define host/ in RSYNC_GSS_SERVICE, wouldn't it be > > better to have an rsync specific service principal like: > > rsync/[EMAIL PROTECTED] ? > > > > The host principal should not be abused and it is good practice to > > have > > your own service (and therefore a separate keytab/secret for separate > > services). > > > > HTTP, FTP, NFS, etc... they all use their own service principal. > > > > Simo. > > > > On Sat, 2008-08-30 at 05:29 +0200, Bacchella Fabrice wrote: > >> Indeed. Thanks for the type about git. > >> > >> The diffs against 3.0.3 & git : > >> > >> > >> > >> > >> Le 30 août 08 à 01:02, Matt McCutchen a écrit : > >> > >>> On Fri, 2008-08-29 at 18:50 +0200, Bacchella Fabrice wrote: > >>>> Still working on my gss patch. > >>> > >>> Please remember to attach the updated patch! > >>> > >>> To generate a single diff, you can "git add" the files you added/ > >>> changed > >>> and then run "git diff HEAD". You could also look into > >>> maintaining a > >>> git repository containing your change on the Web. > >>> > >>> Matt > >> > >> -- > >> Please use reply-all for most replies to avoid omitting the mailing > >> list. > >> To unsubscribe or change options: > >> https://lists.samba.org/mailman/listinfo/rsync > >> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html > > -- > > Simo Sorce * Red Hat, Inc * New York > > > -- Simo Sorce * Red Hat, Inc * New York -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
