Use ssh key to acquire TGT?
Adam Megacz
megacz at hcoop.net
Fri Jun 1 01:32:26 EDT 2007
>> Because you have to kinit once **per realm**.
> Well, if the passwords are differnet you can't get around that.
As they should be, because I do not want to entrust the admins of any
of the systems I use with knowledge of the password for my account on
other systems.
> And wouldn't a user need to enter multiple passwords if the
> passphrases were different on seperate private keys?
... which is why you use one private key for many sites.
> Ask for realm trusts.
I'm glad we're in agreement about the fact that this is totally
impractical in the large.
One of these days I'm going to request (for HCOOP) crossrealm trusts
with the top 10 computer science universities in the USA [*] and
document (a) my success rate, (b) how many emails it took, and (c) how
many months from first request to working trust entry. Hopefully a
published case study like this will get people to stop pretending that
crossrealm is actually a legitimate general-purpose solution.
> Anyone who hacked local root would be able to just copy all the
> tickets in the krbcc in /tmp when users login anyway.
Stealing keytabs is far worse than stealing 10-hour tickets.
> It should be possible. Use the addent ktutil function.
Ah, neat; I didn't know this existed. Thanks!
- a
[*] I don't mean to be US-centric here; this is mainly to preempt any
claims that language barriers or legal concerns can explain the
success rates being abysmal (which they will be).
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
More information about the Kerberos
mailing list