logo_kerberos.gif

Projects/What does God need with a password

From K5Wiki
< Projects
Revision as of 15:50, 13 September 2010 by SamHartman (talk | contribs) (kinit -C)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


kinit -C with apologies to Star Trek.

The administrator of a Kerberos database has access to all user keys within that database. This is sufficient to impersonate any user. Today, no convenient user interface is provided for logging in as a given user without changing that user's passowrd. This project proposes to add a -c (cheat) option to kinit. If this option is supplied, then the key will be extracted from the database rather than prompting for a password. This option requires that kinit be run on a KDC with read access to the Kerberos database and stash file.


Implementation

Kinit will register and use the kdb keytab in order to access the database. It will actually contact the KDC process and go through th efull AS-REQ path. The advantage of this is that any authorization data is generated. The disadvantage is that users who require pkinit or hardware preauth cannot be logged in using this mechanism. As a result, kinit will link against libkdb5 and libkadm5srv.