[39152] in Kerberos
Re: Kerberos protocol transition with unconstrained delegation (i.e.
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Fri Oct 28 08:36:19 2022
MIME-Version: 1.0
In-Reply-To: <3c20a908-eced-131e-527d-5b7fab957a68@mit.edu>
From: Jeffrey Hutzelman <jhutz@cmu.edu>
Date: Fri, 28 Oct 2022 08:30:20 -0400
Message-ID: <CALF+FNzsG3Q=w0+KZYHurgDjiNRg252ar6pCa_5=H8kDjAynWA@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Jonathan Calmels <jcalmels@nvidia.com>,
Jonathan Calmels via Kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ah, I didn't realize MIT Kerberos had grown the "KDB" keytab method.
That's similar to Jonathan's idea of using the kadmin libraries to extract
the client's key from the kdb, but didn't require wiring custom code. It
does require colocating with a KDC, but I agree with Russ; it's probably
best to do that anyway.
-- Jeff
On Fri, Oct 28, 2022, 00:06 Greg Hudson <ghudson@mit.edu> wrote:
> On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> > You don't need libkadm5 for any of this -- all you need to print a
> service
> > ticket (even a TGT) is the service's key. Heimdal comes with a program,
> > kimpersonate, which does this and could easily be used as a basis for
> your
> > impersonation service.
>
> MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username". The KDC
> is still in the loop, but no password or keytab for the user is
> required. (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
