Environment variable for client flags?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Environment variable for client flags?

John Devitofranceschi
Has an environment variable for client flags ever been considered?

The specific use case I’m thinking about is a situation where a user may want to override a system-wide configuration without the overhead of managing their own KRB5_CONFIG file.

Example: krb5.conf specifies that forwardable tickets are to be requested but a principal is defined which disallows the use of forwardable credentials.  If the user could define an environment variable that overrides this and other settings (KRB5_CLIENT_FLAGS=“forwardable=false; ticket_lifetime=10m" for example) they could more easily use a keytab with KRB5_CLIENT_KTNAME, and MEMORY-based credentials.

Any of the settable flags that one can define kinit command line could be set in the variable.

jd
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Environment variable for client flags?

Greg Hudson
On 07/07/2018 02:29 PM, John Devitofranceschi wrote:
> Has an environment variable for client flags ever been considered?
>
> The specific use case I’m thinking about is a situation where a user may want to override a system-wide configuration without the overhead of managing their own KRB5_CONFIG file.

I don't think that idea has come up before.  The Kerberos development
community has traditionally had some antipathy towards environment
variables, although of course a number of them have been added over time.

You can currently specify multiple config files, like:

   KRB5_CONFIG=/path/to/my/config:/etc/krb5.conf

How overrides work in this construction isn't as well-defined as I would
like, but for initial ticket options, relations defined in the first
file should take precedence.

Although using <(printf "[libdefaults]\n forwardable=false\n") in the
above construction might be convenient, it should be avoided for now
because of http://krbdev.mit.edu/rt/Ticket/Display.html?id=8651 .
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos