[39220] in Kerberos
Re: Is there a way to steer kinit to a specific kdc?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Apr 5 12:16:43 2023
Message-ID: <2fc07758-f37a-d419-7c6a-7e303acc01b5@mit.edu>
Date: Wed, 5 Apr 2023 12:11:42 -0400
MIME-Version: 1.0
Content-Language: en-US
To: "Dan Mahoney (Gushi)" <danm@prime.gushi.org>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <4c59d692-3d8a-553-20e8-388e7446f37@prime.gushi.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 4/5/23 00:52, Dan Mahoney (Gushi) wrote:
> Can neither mit kinit nor the heimdal one supplied with BSD systems by
> default, not just be forced to a single KDC?
It can't, and the library APIs don't really enable it. A program could
use krb5_init_creds_step() or krb5_tkt_creds_step() to compose KDC
requests and do its own network transport, but kinit isn't in the
business of doing its own network stuff and it doesn't use the _step APIs.
Adding an init_creds option to specify a KDC host would raise some
questions. Does the application specify a hostname or an address? Can
it specify specifically TCP or UDP or the fallback order? What about https?
At this time I would rather see an externally-maintained KDC probe
application using the _step APIs (or for people to keep doing this with
faked-up krb5.conf files) than accept the complexity of building this
into the MIT krb5 kinit and the API.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos