[31986] in Kerberos
Re: Create synthetic krb5.keytab / KRB5CCNAME w/ krbtgt by
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jan 26 11:47:25 2010
From: Greg Hudson <ghudson@mit.edu>
To: Rainer Laatsch <Laatsch@uni-koeln.de>
In-Reply-To: <alpine.LRH.2.00.1001261246330.25888@dialog5.rrz.uni-koeln.de>
Date: Tue, 26 Jan 2010 11:47:12 -0500
Message-Id: <1264524432.2241.9.camel@equal-rites.mit.edu>
Mime-Version: 1.0
Cc: "R. Laatsch" <a0049@uni-koeln.de>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2010-01-26 at 06:58 -0500, Rainer Laatsch wrote:
> If a request is securely accepted (e.g. otp), is there a method to
> synthetically grant a krb5.keytab / KRB5CCNAME w/ krbtgt to a user
> by kadmin.local? Could be a help for batch jobs or login purposes.
If you do "ktadd -k filename -norandkey principalname" in kadmin or
kadmin.local, it will spit out a keytab for that principal into
filename.
The security consequences of such infrastructure should be pretty clear,
but in case they aren't: this service would have the ability to
impersonate any user to any other service, and should therefore be
treated with the same sensitivity as the KDC itself.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
