Project Review: kinit -C
Luke Howard
lukeh at padl.com
Tue Sep 14 16:03:08 EDT 2010
OK, I need to think about it some more.
-- Luke
On 14/09/2010, at 9:54 PM, Sam Hartman wrote:
>>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
>
>>> The administrator of a Kerberos database has access to all user
>>> keys within that database. This is sufficient to impersonate any
>>> user. Today, no convenient user interface is provided for
>>> logging in as a given user without changing that user's
>>> passowrd. This project proposes to add a -c (cheat) option to
>>> kinit. If this option is supplied, then the key will be extracted
>>> from the database rather than prompting for a password. This
>>> option requires that kinit be run on a KDC with read access to
>>> the Kerberos database and stash file.
>
> Luke> Um, can't we use S4U2Self for this? Or am I missing something
> Luke> very obvious?
>
> Are s4u2self tickets marked as such?
>
> The use cases for this are things like an administrator impersonating a
> user in order to respond to legal actions, or because someone is sick
> and their files need to be accessed. So, you want eexplicitly the same
> authorizations as a user, etc.
> how much work would it be in the current s4u2self code to pull this off?
>
--
www.padl.com | www.thisismagnolia.net
More information about the krbdev
mailing list