[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kpasswd w/forwardable
David Nerenberg <firstname.lastname@example.org> writes:
> Upon investigation, I see that the kadmin/changepw principal has
> "disallow-forwardable" set as an attribute. This brings me to two
> questions, first, why is this set? Just because a ticket is
> forwardable doesn't mean it was forwarded from another realm, so why
> is this bad?
Basically, because there's only a `forwardable' bit in the database.
As long as you can't issue forwardable tickets you should not get
forwarded ones either. And besides, it doesn't seem to hurt.
> Second, with this setup, how could I force kpasswd to get a
> non-forwardable ticket for its use?
With the included patch. :-)
> (For that matter, how would I even get kinit to get a
> non-forwardable ticket, I only see options to get a forwardable one
> - this appears to assume the default is not to get a forwardable)
With `--forwardable=no' or `--no-forwardable', this works with all
long options. There's no short option, but you can abbreviate it as
long as it's unique (so actually `--no-f' works).
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kpasswd/kpasswd.c,v
retrieving revision 1.20
diff -u -w -u -w -r1.20 kpasswd.c
--- kpasswd.c 1999/12/02 17:05:00 1.20
+++ kpasswd.c 2000/01/28 03:09:59
@@ -79,6 +79,8 @@
krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+ krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+ krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
argc -= optind;
argv += optind;