Project Review: kinit -C

Sam Hartman hartmans at MIT.EDU
Tue Sep 14 12:55:51 EDT 2010 

I've started a project review of
http://k5wiki.kerberos.org/wiki/Projects/What_does_God_need_with_a_password
which will conclude next week.
The interesting bits are duplicated below.

   The administrator of a Kerberos database has access to all user keys
   within that database. This is sufficient to impersonate any user.
   Today, no convenient user interface is provided for logging in as a
   given user without changing that user's passowrd. This project proposes
   to add a -c (cheat) option to kinit. If this option is supplied, then
   the key will be extracted from the database rather than prompting for a
   password. This option requires that kinit be run on a KDC with read
   access to the Kerberos database and stash file.

   Contents

        * [9]1 Implementation
        * [10]2 Review
             + [11]2.1 Approvals
             + [12]2.2 Discussion

Implementation

   Kinit will register and use the kdb keytab in order to access the
   database. It will actually contact the KDC process and go through th
   efull AS-REQ path. The advantage of this is that any authorization data
   is generated. The disadvantage is that users who require pkinit or
   hardware preauth cannot be logged in using this mechanism. As a result,
   kinit will link against libkdb5 and libkadm5srv.

More information about the krbdev mailing list