[39219] in Kerberos
Re: Is there a way to steer kinit to a specific kdc?
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Wed Apr 5 10:52:22 2023
Message-ID: <202304051446.335EkAb9025556@hedwig.cmf.nrl.navy.mil>
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>
cc: kerberos@mit.edu
In-Reply-To: <4c59d692-3d8a-553-20e8-388e7446f37@prime.gushi.org>
MIME-Version: 1.0
Date: Wed, 05 Apr 2023 10:46:09 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>It *looks* like, in order to check basically fakes this out with a
>krb5.conf that only includes a single KDC (the one being tested).
>
>Is that really the best way to go about it?
>
>Can neither mit kinit nor the heimdal one supplied with BSD systems by
>default, not just be forced to a single KDC?
You are correct; there's no easier way to go about it. At least for
MIT Kerberos you could write a "locate" plugin that provided some way
of specifying server locations. That would probably be worse than just
writing out a custom krb5.conf. As a practical matter I could see it
being challenging to design a good API to do that and it would probably
have limited use. I feel your pain because there are a number of
times when I specifically contact a single KDC for testing/development
purposes and I also just edit krb5.conf. FWIW, there are many times
when I want to do some testing and send a TGS-REQ to a particular KDC
and that would involve not just having a modified kinit, so I think
the problem is more complex than it appears.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
