#43 Apache-readable keytab is a security risk

[Anders Kaseorg]

Since the Krb5Keytab must be readable by the Apache process, it is difficult or impossible to prevent it from being served to the web if there are untrusted user accounts on the system (e.g. shared hosting).

To fix this, the keytab needs to be read as root before Apache drops privileges, like how mod_ssl reads the SSL private key.