Creation of principal without password

Ken Raeburn raeburn at MIT.EDU
Sat Aug 19 17:06:18 EDT 2006 

> How do you allow principal creation with no random keys? I hope  
> this means with no password as well.

At the moment, I don't think it's possible in the MIT code.  But with  
PKINIT, we may want to change that.

>   Also with PKINIT, it is window's specific. right?

Um, no, but MIT isn't shipping an implementation yet.

> And still user needs to have the password set first and then PKINIT  
> comes to picture. right?

At least in theory, no; if you present a certificate and proof that  
you have the key, you get your Kerberos credentials.  (Well, subject  
to a bunch of other constraints, but not involving having a separate  
Kerberos key or password.)

> As admin we want to create the users via a process and when user  
> tries to login to our system, it is asked to set its password and  
> our admin process will set the password in kerberos for them. But  
> it seems kerberos cannot be a place holder for username without  
> password!? And if somehow it is how does it handle when it comes to  
> authentication?

If you created a placeholder account and set the password later,  
you'd need to set the password via some privileged process (such as  
having an administrator do it with their credentials), ideally after  
using some other verification system (like looking at the user's  
government-issued identification).  My point was that different  
administrators might have different privileges, with some being able  
to set passwords on certain previously-created accounts but not  
allowed to create them; then the "placeholder" functionality would  
make sense, but there'd be little use for a password or even a random  
key (with the approach I described).

> I see its chpassword needs old and new password to be specified.  
> Even if it lets you to say the old password is null and does not  
> return an error, then it is a security hole, since anybody with  
> that username and null password can authenticate!?

You'd have to have the right privileges to set the password on a  
principal without having the old password.  It wouldn't be allowed  
for random users.

Ken

More information about the Kerberos mailing list