help with OTP

Matt Zagrabelny mzagrabe at d.umn.edu
Fri Jan 5 09:31:44 EST 2024


On Wed, Apr 26, 2023 at 11:41 AM Matt Zagrabelny <mzagrabe at d.umn.edu> wrote:

> On Wed, Apr 26, 2023 at 11:29 AM Ken Hornstein <kenh at cmf.nrl.navy.mil>
> wrote:
>
>
> > It does occur to me a useful addition to kinit might be a flag that
> > means "authenticate using anonymous PKINIT and then use those
> > credentials as a FAST armour credential cache" so you wouldn't have
> > to muck around with juggling credential caches.
>
> That would be great and would eliminate an impending shell alias for me:
>
> alias kinit-otp='kinit -n -c /tmp/somecache; kinit -T /tmp/somecache'
>

Krb5 devs,

Any thoughts about extending kinit to natively perform the two step process
in the alias above? (And also have an option in /etc/krb5.conf so that it
is "on" by default?)

Maybe:

kinit --anonymous-cache-credentials

[libdefaults]
anonymous-cache-credentials = true

Thanks for the consideration!

-m


More information about the Kerberos mailing list