Obtaining Service Ticket with TGT only (via shell commands)
Russ Allbery
rra at stanford.edu
Wed Mar 25 11:00:46 EDT 2009
Frank Gruellich <frank.gruellich at navteq.com> writes:
> Greg Hudson wrote:
>> but I believe that would compromise the requirement that people have to
>> reenter their passwords in order to run kadmin.
> But that's, in fact, my intention. I know, that kadmin is some kind of
> critical tool. If security aspects are the only problem with this set
> up I'll drop them. I accept that kadmin/admin service is just something
> like host/eloy.example.com.
The primary practical effect of this restriction is to implement the
common security requirement that people re-enter their passwords in order
to change their password. If you drop the special configuration for
kadmin, you will drop that requirement. If you don't care, then you don't
care. :)
What I would do if I were you is have your script switch ticket caches,
prompt the admin to authenticate and thereby obtain a kadmin/admin ticket
using kinit -S, and then use that ticket cache for all your operations.
Then, when you're done, kdestroy and switch back to their current ticket
cache.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list