Is there a way to steer kinit to a specific kdc?
Greg Hudson
ghudson at mit.edu
Wed Apr 5 12:11:42 EDT 2023
On 4/5/23 00:52, Dan Mahoney (Gushi) wrote:
> Can neither mit kinit nor the heimdal one supplied with BSD systems by
> default, not just be forced to a single KDC?
It can't, and the library APIs don't really enable it. A program could
use krb5_init_creds_step() or krb5_tkt_creds_step() to compose KDC
requests and do its own network transport, but kinit isn't in the
business of doing its own network stuff and it doesn't use the _step APIs.
Adding an init_creds option to specify a KDC host would raise some
questions. Does the application specify a hostname or an address? Can
it specify specifically TCP or UDP or the fallback order? What about https?
At this time I would rather see an externally-maintained KDC probe
application using the _step APIs (or for people to keep doing this with
faked-up krb5.conf files) than accept the complexity of building this
into the MIT krb5 kinit and the API.
More information about the Kerberos
mailing list