Kerberos Windows Client sign

Rodney M Dyer rmdyer at uncc.edu
Fri Sep 10 17:06:19 EDT 2004 

At 01:30 PM 9/9/04, you wrote:
>The KFW kinit does not allow keyboard redirection.

[Rodney steps onto soap box]

Unfortunately, since in my little world view, there is no distinction 
between levels of programming.  Scripting is just as valid a way to code as 
calling libraries from C code.  The kinit program does not allow stdin 
because someone made that executive decision at the developer level.  It is 
not that way for any technical limitation.  However, this is somewhat odd 
since the Sun version of "kinit" and the Solaris version of "kinit" that 
ships with MIT Kerberos both allow reading from STDIN.

If you want to get your hands dirty and disobey the developers you can try 
the hack to the KFW kinit.  See the section "Bug in MIT's version of 
KINIT.EXE prevents reading passwords from stdin", in the document "The 
Integration of Kerberos V5, AFS, and Windows XP using the AFSLogonShell" 
here...

      http://www.coe.uncc.edu/~rmdyer/krblogon.htm

This described hack was for the 1.3.1 version of kinit.  I don't know if it 
still works with the latest version.

Hack at your own risk.  I am not promoting this solution, however I do 
think that it is a valid way to provide a short term method of 
authentication.  You should be cautioned however to not directly echo the 
password in a command line.  Instead you should use the technique described 
in the section "Shouldn't use XP command shell ECHO for sending password to 
KINIT.EXE" from the same document.

Rodney



>Luis Daniel Lucio Quiroz wrote:
>
> > Helo All,
> >
> > I was wondering if there is away to make kerberos auth automatic.  The 
> fact is
> > that I working on making a NT4 (samba) like domain work most closely 
> like a
> > 2k-alike domain (I'm interesting on Kerberos and single-singon 
> feature).  On
> > PDC all services are already kerberized, using pam or native support.
> >
> > When a client sign on I can catch its password, so I would know if 
> there is a
> > way to use kinit command with out prompint,
> >
> > I have tried:   echo passwor | kinit user         and
> > kinit user < pass.txt
> >
> > but both of two fails and display windows prompmt.  Does any one knows
> > something more easy?  Or if tehre is a simple kerberos client that 
> supports
> > this?
> >
> >
> > regards,
> >
> > LD
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>--
>-----------------
>This e-mail account is not read on a regular basis.
>Please send private responses to jaltman at mit dot edu
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list