[16270] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Luke Howard)
Tue Sep 14 16:03:16 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <tsl7hionls6.fsf@live.mit.edu>
Date: Tue, 14 Sep 2010 22:03:08 +0200
Message-Id: <B19CEB40-16CA-49C7-BCA2-CB7A01C57C37@padl.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
OK, I need to think about it some more.
-- Luke
On 14/09/2010, at 9:54 PM, Sam Hartman wrote:
>>>>>> "Luke" == Luke Howard <lukeh@padl.com> writes:
>
>>> The administrator of a Kerberos database has access to all user
>>> keys within that database. This is sufficient to impersonate any
>>> user. Today, no convenient user interface is provided for
>>> logging in as a given user without changing that user's
>>> passowrd. This project proposes to add a -c (cheat) option to
>>> kinit. If this option is supplied, then the key will be extracted
>>> from the database rather than prompting for a password. This
>>> option requires that kinit be run on a KDC with read access to
>>> the Kerberos database and stash file.
>
> Luke> Um, can't we use S4U2Self for this? Or am I missing something
> Luke> very obvious?
>
> Are s4u2self tickets marked as such?
>
> The use cases for this are things like an administrator impersonating a
> user in order to respond to legal actions, or because someone is sick
> and their files need to be accessed. So, you want eexplicitly the same
> authorizations as a user, etc.
> how much work would it be in the current s4u2self code to pull this off?
>
--
www.padl.com | www.thisismagnolia.net
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
