Creation of principal without password

Fariba fariba at
Fri Aug 18 20:02:36 EDT 2006

Your case is a good example. How do you allow principal creation with no 
random keys? I hope this means with no password as well.  Also with 
PKINIT, it is window's specific. right? And still user needs to have the 
password set first and then PKINIT comes to picture. right? As admin we 
want to create the users via a process and when user tries to login to 
our system, it is asked to set its password and our admin process will 
set the password in kerberos for them. But it seems kerberos cannot be a 
place holder for username without password!? And if somehow it is how 
does it handle when it comes to authentication? I see its chpassword 
needs old and new password to be specified. Even if it lets you to say 
the old password is null and does not return an error, then it is a 
security hole, since anybody with that username and null password can 
authenticate!? Thank you.

Ken Raeburn wrote:
> An administrator could change the password with kadmin's "cpw" command.
> This is roughly the use case I had in mind:  At a school, a registrar 
> creates accounts (including Kerberos principals) for use by the 
> students in a class, with names constructed like <class 
> identifier><sequence number>, e.g., c101_12, with random keys (or, if 
> we allowed it, with no keys).  The realm is shared across a bunch of 
> classes.  The instructors for the class are given the ability to 
> change passwords for accounts, but not to create new accounts.  After 
> the first class, each student meets with the instructor or teaching 
> assistants, gets assigned an account id, and picks a password which is 
> set on the principal then and there by the instructor.  Probably not 
> the most convenient way of doing it, compared to, say, having the 
> registrar assign initial passwords and require that the passwords be 
> changed immediately, but it would work.
> Another no-password case would be PKINIT; if the initial tickets are 
> always acquired via PKINIT, there's no need for a password.
> Ken

More information about the Kerberos mailing list