[30926] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Obtaining Service Ticket with TGT only (via shell commands)

daemon@ATHENA.MIT.EDU (Frank Gruellich)
Wed Mar 25 13:32:25 2009

Message-ID: <49CA6A4C.70201@navteq.com>
Date: Wed, 25 Mar 2009 18:30:52 +0100
From: Frank Gruellich <frank.gruellich@navteq.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <87hc1hve8x.fsf@windlord.stanford.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Russ Allbery wrote:
> Frank Gruellich <frank.gruellich@navteq.com> writes:
>> Greg Hudson wrote:
>>> but I believe that would compromise the requirement that people have to
>>> reenter their passwords in order to run kadmin.
>> But that's, in fact, my intention.  I know, that kadmin is some kind of
>> critical tool.  If security aspects are the only problem with this set
>> up I'll drop them.  I accept that kadmin/admin service is just something
>> like host/eloy.example.com.
> The primary practical effect of this restriction is to implement the
> common security requirement that people re-enter their passwords in order
> to change their password.  If you drop the special configuration for
> kadmin, you will drop that requirement.  If you don't care, then you don't
> care.  :)

Oh, damn, that's a true impact...

> What I would do if I were you is have your script switch ticket caches,
> prompt the admin to authenticate and thereby obtain a kadmin/admin ticket
> using kinit -S, and then use that ticket cache for all your operations.
> Then, when you're done, kdestroy and switch back to their current ticket
> cache.

Then I'll prefer that way.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post