LCFG Profile Security Project

Having added support to the LCFG installer for prompting the user for a Kerberos principal at the very beginning of the process it would be nice to be able to use that for all other steps which need authentication. In particular, the call to kdcregister to create the host keytab file should not need to also prompt the user for the principal and password. I quickly discovered this is a slightly awkward problem because the kdcregister command is issued via the baseinstall component which is called using the om command. When calling any component method om will firstly clear the environment to make it safe. This means that the path to the credentials cache, which is usually found from the KRB5CCNAME environment variable, is not available to kdcregister. I considered various approaches to solving this problem and eventually concluded that om needed a new feature which would be similar to the env_keep option support by sudo. This can then be used to specify a list of environment variables which will not be cleared. Using this feature is straightforward, the LCFG schema for om, which is inherited by most components, now includes an om_env_keep resource. The feature is supported in version 0.13.1 of the lcfg-om package which will be in the next weekly stable release.

Comments are closed.