Project Review: kinit -C

Luke Howard lukeh at padl.com
Tue Sep 14 16:03:08 EDT 2010


OK, I need to think about it some more.

-- Luke

On 14/09/2010, at 9:54 PM, Sam Hartman wrote:

>>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
> 
>>> The administrator of a Kerberos database has access to all user
>>> keys within that database. This is sufficient to impersonate any
>>> user.  Today, no convenient user interface is provided for
>>> logging in as a given user without changing that user's
>>> passowrd. This project proposes to add a -c (cheat) option to
>>> kinit. If this option is supplied, then the key will be extracted
>>> from the database rather than prompting for a password. This
>>> option requires that kinit be run on a KDC with read access to
>>> the Kerberos database and stash file.
> 
>    Luke> Um, can't we use S4U2Self for this? Or am I missing something
>    Luke> very obvious?
> 
> Are s4u2self tickets marked as such?
> 
> The use cases for this are things like an administrator impersonating a
> user in order to respond to legal actions, or because someone is sick
> and their files need to be accessed.  So, you want eexplicitly the same
> authorizations as a user, etc.
> how much work would it be in the current s4u2self code to pull this off?
> 

--
www.padl.com | www.thisismagnolia.net




More information about the krbdev mailing list