|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: GSSAPI Authentication
Victor.Duchovni
morganstanley.com
Date: Fri Jan 02 2004 - 08:34:39 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 1 Jan 2004 ms419freezone.co.uk wrote:
> SO, my options appear to be, 1) not running "smtpd" "chroot'ed", or 2)
> creating "/var/spool/postfix/etc/krb5.keytab". I've tried to discover
> how the files in "/var/spool/postfix" are maintained ... What must I do
> to ensure "/var/spool/postfix/etc/krb5.keytab" is kept current with
> "/etc/krb5.keytab"?
>
Do NOT keep the files in sync. /etc/krb5.keytab contains the host keys for
rlogin, ssh, ... these are sensitive and disclosure can lead to system
compromise. Using a chrooted smtpd allows you to have a separate keytab
for "smtpd", this is a good thing. Populate the keytab in the chroot jail
with the "smtp/host.fqdnREALM" key. Add any other files required for the
server to determine its own realm.
--
Viktor.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]