[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Extract Keytab permissions

> On Mar 15, 2005, at 2:14 PM, Love Hörnquist Åstrand wrote:
> >
> > "Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
> >
> >> What I don't understand is ext_keytab.  I don't see how that command
> >> is  protected, or what permission it uses.
> >>
> >> What I'd like to do is specify an "admin" account that's allowed to
> >> get  expiration dates and maybe enctypes for everybody, but can't
> >> extract a  keytab for (and impersonate) anybody.  In other terms:  the
> >> metadata is  OK, but the keys aren't.
> >
> > I've got a patch that I've been meaning to to integerate any month
> > now.  It add a new keyword "key" to the ACL table.


do you have another patch like this so that a user can view his/her
own but no other KDC entry just like this was the case in AFS.

"kas examine" worked for your own account. To view others you needed
to have the ADMIN flag set.

It was always handy that users could get the age of their own password.


  Alf Wachsmann                       | e-mail: alfw@slac.stanford.edu
  SLAC Computing Service              | Phone:  +1-650-926-4802
  2575 Sand Hill Road, M/S 97         | FAX:    +1-650-926-3329
  Menlo Park, CA 94025, USA           | Office: Bldg. 50/323
                http://www.slac.stanford.edu/~alfw (PGP)