Add the config stubs for the keytab-backend program.

3 files changed, 17 insertions, 0 deletions

diff --git a/config/allow-extract b/config/allow-extract
new file mode 100644
index 0000000..824a9b8
--- /dev/null
+++ b/config/allow-extract
@@ -0,0 +1,5 @@
+# /etc/krb5kdc/allow-extract -- List of principals for keytab retrieval.
+#
+# Any principal matching a regular expression in this file will be
+# eligible for keytab retrieval through keytab-backend.  Be careful to
+# anchor the regular expressions and include realm information if needed.
diff --git a/config/keytab b/config/keytab
new file mode 100644
index 0000000..8446866
--- /dev/null
+++ b/config/keytab
@@ -0,0 +1,6 @@
+# /etc/remctl/conf.d/keytab -- Run keytab-backend for keytab retrieval.
+#
+# This is a remctld configuration fragment to run kdc-backend to permit
+# remote retrieval of certain keytabs.
+
+keytab retrieve /usr/sbin/kdc-backend /etc/remctl/acl/keytab
diff --git a/config/keytab.acl b/config/keytab.acl
new file mode 100644
index 0000000..c55ae46
--- /dev/null
+++ b/config/keytab.acl
@@ -0,0 +1,6 @@
+# /etc/remctl/acl/keytab -- ACL for keytab retrieval.
+#
+# This is the ACL controlling who can retrieve keytabs for the existing
+# keys of principals matching lines in /etc/krb5kdc/allow-extract.  It
+# usually should only contain one principal, the principal of the wallet
+# server.