Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

Jeffrey Hutzelman jhutz at cmu.edu
Fri Oct 28 08:30:20 EDT 2022


Ah, I didn't realize MIT Kerberos had grown the "KDB" keytab method.
That's similar to Jonathan's idea of using the kadmin libraries to extract
the client's key from the kdb, but didn't require wiring custom code. It
does require colocating with a KDC, but I agree with Russ; it's probably
best to do that anyway.

-- Jeff

On Fri, Oct 28, 2022, 00:06 Greg Hudson <ghudson at mit.edu> wrote:

> On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> > You don't need libkadm5 for any of this -- all you need to print a
> service
> > ticket (even a TGT) is the service's key. Heimdal comes with a program,
> > kimpersonate, which does this and could easily be used as a basis for
> your
> > impersonation service.
>
> MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username".  The KDC
> is still in the loop, but no password or keytab for the user is
> required.  (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)
>
>


More information about the Kerberos mailing list