Project Review: kinit -C

Luke Howard lukeh at padl.com
Tue Sep 14 15:34:17 EDT 2010


>   The administrator of a Kerberos database has access to all user keys
>   within that database. This is sufficient to impersonate any user.
>   Today, no convenient user interface is provided for logging in as a
>   given user without changing that user's passowrd. This project proposes
>   to add a -c (cheat) option to kinit. If this option is supplied, then
>   the key will be extracted from the database rather than prompting for a
>   password. This option requires that kinit be run on a KDC with read
>   access to the Kerberos database and stash file.

Um, can't we use S4U2Self for this? Or am I missing something very obvious?

-- Luke



More information about the krbdev mailing list