diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/allow-extract | 5 | ||||
| -rw-r--r-- | config/keytab | 6 | ||||
| -rw-r--r-- | config/keytab.acl | 6 |
3 files changed, 17 insertions, 0 deletions
diff --git a/config/allow-extract b/config/allow-extract new file mode 100644 index 0000000..824a9b8 --- /dev/null +++ b/config/allow-extract @@ -0,0 +1,5 @@ +# /etc/krb5kdc/allow-extract -- List of principals for keytab retrieval. +# +# Any principal matching a regular expression in this file will be +# eligible for keytab retrieval through keytab-backend. Be careful to +# anchor the regular expressions and include realm information if needed. diff --git a/config/keytab b/config/keytab new file mode 100644 index 0000000..8446866 --- /dev/null +++ b/config/keytab @@ -0,0 +1,6 @@ +# /etc/remctl/conf.d/keytab -- Run keytab-backend for keytab retrieval. +# +# This is a remctld configuration fragment to run kdc-backend to permit +# remote retrieval of certain keytabs. + +keytab retrieve /usr/sbin/kdc-backend /etc/remctl/acl/keytab diff --git a/config/keytab.acl b/config/keytab.acl new file mode 100644 index 0000000..c55ae46 --- /dev/null +++ b/config/keytab.acl @@ -0,0 +1,6 @@ +# /etc/remctl/acl/keytab -- ACL for keytab retrieval. +# +# This is the ACL controlling who can retrieve keytabs for the existing +# keys of principals matching lines in /etc/krb5kdc/allow-extract. It +# usually should only contain one principal, the principal of the wallet +# server. |