[33164] in Kerberos
Re: keytab to krb5_creds?
daemon@ATHENA.MIT.EDU (John Hascall)
Sat Jan 29 17:46:29 2011
To: Russ Allbery <rra@stanford.edu>
In-reply-to: Your message of Fri, 28 Jan 2011 14:00:17 -0800.
<874o8s1yfi.fsf@windlord.stanford.edu>
Date: Sat, 29 Jan 2011 16:46:20 CST
Message-ID: <16073.1296341180@malison.ait.iastate.edu>
From: John Hascall <john@iastate.edu>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thanks everyone for the hints. Turns out it only took a
couple hundred lines of code to work up a Q+D functional
proof-of-concept.
John
-------------------------------------------------------------------------------
John Hascall, john@iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
> John Hascall <john@iastate.edu> writes:
>
> > It seems to me that one ought to be able to construct a krb5_creds
> > struct given a keytab (and the princ name you want from it)? [probably
> > re-inventing a number of wheels due to non-publically visible functions]
>
> The kimpersonate tool that comes with Heimdal does essentially this. Per
> the man page:
>
> The kimpersonate program creates a "fake" ticket using the
> service-key of the service. The service key can be read from a
> Kerberos 5 keytab, AFS KeyFile or (if compiled with support for
> Kerberos 4) a Kerberos 4 srvtab.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
