[16267] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Luke Howard)
Tue Sep 14 15:34:28 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <tslocc0nu20.fsf@live.mit.edu>
Date: Tue, 14 Sep 2010 21:34:17 +0200
Message-Id: <391A3912-1EBF-4EA1-B460-8359359E5B44@padl.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> The administrator of a Kerberos database has access to all user keys
> within that database. This is sufficient to impersonate any user.
> Today, no convenient user interface is provided for logging in as a
> given user without changing that user's passowrd. This project proposes
> to add a -c (cheat) option to kinit. If this option is supplied, then
> the key will be extracted from the database rather than prompting for a
> password. This option requires that kinit be run on a KDC with read
> access to the Kerberos database and stash file.
Um, can't we use S4U2Self for this? Or am I missing something very obvious?
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
