Project Review: kinit -C
Sam Hartman
hartmans at MIT.EDU
Tue Sep 14 15:54:33 EDT 2010
>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
>> The administrator of a Kerberos database has access to all user
>> keys within that database. This is sufficient to impersonate any
>> user. Today, no convenient user interface is provided for
>> logging in as a given user without changing that user's
>> passowrd. This project proposes to add a -c (cheat) option to
>> kinit. If this option is supplied, then the key will be extracted
>> from the database rather than prompting for a password. This
>> option requires that kinit be run on a KDC with read access to
>> the Kerberos database and stash file.
Luke> Um, can't we use S4U2Self for this? Or am I missing something
Luke> very obvious?
Are s4u2self tickets marked as such?
The use cases for this are things like an administrator impersonating a
user in order to respond to legal actions, or because someone is sick
and their files need to be accessed. So, you want eexplicitly the same
authorizations as a user, etc.
how much work would it be in the current s4u2self code to pull this off?
More information about the krbdev
mailing list