Document client keytab usage

This commit is contained in:
Robbie Harwood 2020-03-17 15:26:56 -04:00
parent bef2ba57a2
commit bea8330f52
2 changed files with 67 additions and 1 deletions

View File

@ -0,0 +1,62 @@
From 90a4102f334ce0c655492de9248c3c60ffbd0449 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 16 Mar 2020 18:14:30 -0400
Subject: [PATCH] Document client keytab usage
ticket: 8886 (new)
tags: pullup
target_version: 1.18-next
(cherry picked from commit 366c64897d55c86cdc616d2d1cf4617ff8a07a99)
---
doc/admin/appl_servers.rst | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst
index fee49f027..5232db9af 100644
--- a/doc/admin/appl_servers.rst
+++ b/doc/admin/appl_servers.rst
@@ -60,6 +60,43 @@ To remove a principal from an existing keytab, use the kadmin
:end-before: _ktremove_end:
+Using a keytab to acquire client credentials
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+While keytabs are ordinarily used to accept credentials from clients,
+they can also be used to acquire initial credentials, allowing one
+service to authenticate to another.
+
+To manually obtain credentials using a keytab, use the :ref:`kinit(1)`
+**-k** option, together with the **-t** option if the keytab is not in
+the default location.
+
+Beginning with release 1.11, GSSAPI applications can be configured to
+automatically obtain initial credentials from a keytab as needed. The
+recommended configuration is as follows:
+
+#. Create a keytab containing a single entry for the desired client
+ identity.
+
+#. Place the keytab in a location readable by the service, and set the
+ **KRB5_CLIENT_KTNAME** environment variable to its filename.
+ Alternatively, use the **default_client_keytab_name** profile
+ variable in :ref:`libdefaults`, or use the default location of
+ |ckeytab|.
+
+#. Set **KRB5CCNAME** to a filename writable by the service, which
+ will not be used for any other purpose. Do not manually obtain
+ credentials at this location. (Another credential cache type
+ besides **FILE** can be used if desired, as long the cache will not
+ conflict with another use. A **MEMORY** cache can be used if the
+ service runs as a long-lived process. See :ref:`ccache_definition`
+ for details.)
+
+#. Start the service. When it authenticates using GSSAPI, it will
+ automatically obtain credentials from the client keytab into the
+ specified credential cache, and refresh them before they expire.
+
+
Clock Skew
----------

View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 5%{?dist}
Release: 6%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -54,6 +54,7 @@ Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch
Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
Patch12: Document-client-keytab-usage.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -627,6 +628,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Tue Mar 17 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-6
- Document client keytab usage
* Tue Mar 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-5
- Refresh manually acquired creds from client keytab