Create synthetic krb5.keytab / KRB5CCNAME w/ krbtgt by kadmin.local?

Greg Hudson ghudson at mit.edu
Tue Jan 26 11:47:12 EST 2010


On Tue, 2010-01-26 at 06:58 -0500, Rainer Laatsch wrote:
> If a request is securely accepted (e.g. otp), is there a method to 
> synthetically grant a krb5.keytab / KRB5CCNAME w/ krbtgt to a user
> by kadmin.local? Could be a help for batch jobs or login purposes.

If you do "ktadd -k filename -norandkey principalname" in kadmin or
kadmin.local, it will spit out a keytab for that principal into
filename.

The security consequences of such infrastructure should be pretty clear,
but in case they aren't: this service would have the ability to
impersonate any user to any other service, and should therefore be
treated with the same sensitivity as the KDC itself.





More information about the Kerberos mailing list