[16264] in Kerberos_V5_Development
Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Sep 14 12:56:16 2010
From: Sam Hartman <hartmans@mit.edu>
To: krbdev@mit.edu
Date: Tue, 14 Sep 2010 12:55:51 -0400
Message-ID: <tslocc0nu20.fsf@live.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I've started a project review of
http://k5wiki.kerberos.org/wiki/Projects/What_does_God_need_with_a_password
which will conclude next week.
The interesting bits are duplicated below.
The administrator of a Kerberos database has access to all user keys
within that database. This is sufficient to impersonate any user.
Today, no convenient user interface is provided for logging in as a
given user without changing that user's passowrd. This project proposes
to add a -c (cheat) option to kinit. If this option is supplied, then
the key will be extracted from the database rather than prompting for a
password. This option requires that kinit be run on a KDC with read
access to the Kerberos database and stash file.
Contents
* [9]1 Implementation
* [10]2 Review
+ [11]2.1 Approvals
+ [12]2.2 Discussion
Implementation
Kinit will register and use the kdb keytab in order to access the
database. It will actually contact the KDC process and go through th
efull AS-REQ path. The advantage of this is that any authorization data
is generated. The disadvantage is that users who require pkinit or
hardware preauth cannot be logged in using this mechanism. As a result,
kinit will link against libkdb5 and libkadm5srv.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
