From bea8330f52b6e342ae1bab996bb8fd1f10ecce23 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 17 Mar 2020 15:26:56 -0400 Subject: [PATCH] Document client keytab usage --- Document-client-keytab-usage.patch | 62 ++++++++++++++++++++++++++++++ krb5.spec | 6 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 Document-client-keytab-usage.patch diff --git a/Document-client-keytab-usage.patch b/Document-client-keytab-usage.patch new file mode 100644 index 0000000..800522f --- /dev/null +++ b/Document-client-keytab-usage.patch @@ -0,0 +1,62 @@ +From 90a4102f334ce0c655492de9248c3c60ffbd0449 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 16 Mar 2020 18:14:30 -0400 +Subject: [PATCH] Document client keytab usage + +ticket: 8886 (new) +tags: pullup +target_version: 1.18-next + +(cherry picked from commit 366c64897d55c86cdc616d2d1cf4617ff8a07a99) +--- + doc/admin/appl_servers.rst | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst +index fee49f027..5232db9af 100644 +--- a/doc/admin/appl_servers.rst ++++ b/doc/admin/appl_servers.rst +@@ -60,6 +60,43 @@ To remove a principal from an existing keytab, use the kadmin + :end-before: _ktremove_end: + + ++Using a keytab to acquire client credentials ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++ ++While keytabs are ordinarily used to accept credentials from clients, ++they can also be used to acquire initial credentials, allowing one ++service to authenticate to another. ++ ++To manually obtain credentials using a keytab, use the :ref:`kinit(1)` ++**-k** option, together with the **-t** option if the keytab is not in ++the default location. ++ ++Beginning with release 1.11, GSSAPI applications can be configured to ++automatically obtain initial credentials from a keytab as needed. The ++recommended configuration is as follows: ++ ++#. Create a keytab containing a single entry for the desired client ++ identity. ++ ++#. Place the keytab in a location readable by the service, and set the ++ **KRB5_CLIENT_KTNAME** environment variable to its filename. ++ Alternatively, use the **default_client_keytab_name** profile ++ variable in :ref:`libdefaults`, or use the default location of ++ |ckeytab|. ++ ++#. Set **KRB5CCNAME** to a filename writable by the service, which ++ will not be used for any other purpose. Do not manually obtain ++ credentials at this location. (Another credential cache type ++ besides **FILE** can be used if desired, as long the cache will not ++ conflict with another use. A **MEMORY** cache can be used if the ++ service runs as a long-lived process. See :ref:`ccache_definition` ++ for details.) ++ ++#. Start the service. When it authenticates using GSSAPI, it will ++ automatically obtain credentials from the client keytab into the ++ specified credential cache, and refresh them before they expire. ++ ++ + Clock Skew + ---------- + diff --git a/krb5.spec b/krb5.spec index 55a9f87..29f33ed 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 5%{?dist} +Release: 6%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -54,6 +54,7 @@ Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch +Patch12: Document-client-keytab-usage.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -627,6 +628,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Tue Mar 17 2020 Robbie Harwood - 1.18-6 +- Document client keytab usage + * Tue Mar 03 2020 Robbie Harwood - 1.18-5 - Refresh manually acquired creds from client keytab