[39151] in Kerberos
Re: Kerberos protocol transition with unconstrained delegation (i.e.
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Oct 28 00:12:18 2022
Message-ID: <3c20a908-eced-131e-527d-5b7fab957a68@mit.edu>
Date: Fri, 28 Oct 2022 00:06:50 -0400
MIME-Version: 1.0
Content-Language: en-US
To: Jeffrey Hutzelman <jhutz@cmu.edu>, Russ Allbery <eagle@eyrie.org>
Cc: Jonathan Calmels via Kerberos <kerberos@mit.edu>,
Jonathan Calmels <jcalmels@nvidia.com>
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <CALF+FNxW4gXTuS6iBPKaFeLLRoD1Y+-n-Nd-G7-V=W30AOg9eg@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> You don't need libkadm5 for any of this -- all you need to print a service
> ticket (even a TGT) is the service's key. Heimdal comes with a program,
> kimpersonate, which does this and could easily be used as a basis for your
> impersonation service.
MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username". The KDC
is still in the loop, but no password or keytab for the user is
required. (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
