[30925] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Obtaining Service Ticket with TGT only (via shell commands)

daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Mar 25 11:01:53 2009

To: kerberos@MIT.EDU
In-Reply-To: <49CA0B8A.1020109@navteq.com> (Frank Gruellich's message of "Wed\,
	25 Mar 2009 11\:46\:34 +0100")
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 25 Mar 2009 08:00:46 -0700
Message-ID: <87hc1hve8x.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU

Frank Gruellich <frank.gruellich@navteq.com> writes:
> Greg Hudson wrote:

>> but I believe that would compromise the requirement that people have to
>> reenter their passwords in order to run kadmin.

> But that's, in fact, my intention.  I know, that kadmin is some kind of
> critical tool.  If security aspects are the only problem with this set
> up I'll drop them.  I accept that kadmin/admin service is just something
> like host/eloy.example.com.

The primary practical effect of this restriction is to implement the
common security requirement that people re-enter their passwords in order
to change their password.  If you drop the special configuration for
kadmin, you will drop that requirement.  If you don't care, then you don't
care.  :)

What I would do if I were you is have your script switch ticket caches,
prompt the admin to authenticate and thereby obtain a kadmin/admin ticket
using kinit -S, and then use that ticket cache for all your operations.
Then, when you're done, kdestroy and switch back to their current ticket
cache.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post