Query about an admin testing a user's creds

[Christopher D. Clausen]

Coy Hile <coy.hile at coyhile.com> wrote:
> If we need to test, for example, that a user is actually getting a
> TGT, we need to inform the user that we're changing their password
> temporarily, change it, authenticate as them directly, and then have
> them change it back.  We've all been wondering aloud whether there is
> some way for an admin to get creds as a user directly (Eg, something
> like su - user which actually does a kinit as that user).  Has
> something along those lines been implemented?  If not, what's the
> reasoning behind it not being so implemented? (I'm perfectly happy to
> accept "Because it's Really Stupid(tm) for the follwing reasons..." as
> an answer too :))

What flavor of Kerberos are you using?  I beleive that it is trivial 
with a Heimdal setup for a Kerberos admin to extract a keytab for any 
principal and NOT actually change the password of the principal.  (Use 
the ext_keytab command in kadmin.)  It is less easy with an MIT setup.

You can revert the krb5 database to the point it was at before a 
principal change, however if other principals were changed in the mean 
time, you could have a serious syncronization problem.  You may be able 
to do this manually by just finding the data in the dump for a 
particular principal and injecting it into a newer dump of the current 
Kerberos database.  I am unaware of potential fallout from doing this 
though.

Alternately, you could modify your change password procedure to either 
store the cleartext of the password (bad idea) or generate a keytab for 
the user using the provided password (slightly less bad of an idea) 
during the change process.

<<CDC