[39328] in Kerberos
Re: help with OTP
daemon@ATHENA.MIT.EDU (Matt Zagrabelny via Kerberos)
Fri Jan 5 09:32:17 2024
MIME-Version: 1.0
In-Reply-To: <CAOLfK3XRaYoT+NgbjDCbEaKow36QpTjrFrjGO-jGW96=7z9u_A@mail.gmail.com>
Date: Fri, 5 Jan 2024 08:31:44 -0600
Message-ID: <CAOLfK3U9K+htja6eUzuwisSOQ6SnJSz3bDejaLvKE8b8o8rGZQ@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos <kerberos@mit.edu>
From: Matt Zagrabelny via Kerberos <kerberos@mit.edu>
Reply-To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Apr 26, 2023 at 11:41 AM Matt Zagrabelny <mzagrabe@d.umn.edu> wrote:
> On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein <kenh@cmf.nrl.navy.mil>
> wrote:
>
>
> > It does occur to me a useful addition to kinit might be a flag that
> > means "authenticate using anonymous PKINIT and then use those
> > credentials as a FAST armour credential cache" so you wouldn't have
> > to muck around with juggling credential caches.
>
> That would be great and would eliminate an impending shell alias for me:
>
> alias kinit-otp='kinit -n -c /tmp/somecache; kinit -T /tmp/somecache'
>
Krb5 devs,
Any thoughts about extending kinit to natively perform the two step process
in the alias above? (And also have an option in /etc/krb5.conf so that it
is "on" by default?)
Maybe:
kinit --anonymous-cache-credentials
[libdefaults]
anonymous-cache-credentials = true
Thanks for the consideration!
-m
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
