[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin prompts for passwd

To: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Subject: Re: kadmin prompts for passwd
From: Juha Jäykkä <juhaj@iki.fi>
Date: Fri, 16 May 2008 23:13:21 +0300
Cc: heimdal-discuss@sics.se
In-reply-to: <191D40AF-9A9E-46F7-8B56-29BB5EBD6380@ece.cmu.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: University of Turku
References: <200805162124.21333.juhaj@iki.fi><191D40AF-9A9E-46F7-8B56-29BB5EBD6380@ece.cmu.edu>
Reply-To: heimdal-discuss@sics.se, Juha Jäykkä <juhaj@iki.fi>
User-Agent: KMail/1.9.9

> Er, that's how it's supposed to work and how it has always worked.  If

Nope. That's not how it used to work.

> you really do want to put your KDC at risk in the name of convenience,
> use "kinit -S kadmin/admin foo/admin" to get a ticket that will enable

And I definitely never did this (this is on another realm):

foo@host 23:07:32 ~> kdestroy
foo@host 23:07:32 ~> kinit foo/admin
foo/admin@TFY.UTU.FI's Password: 
foo@host 23:07:44 ~> kadmin get bar
            Principal: bar@REALM
etc.

> password-less kadmin (and likewise enable it for anyone who can get at
> your ticket file --- which is why kadmin prompts).

Ok. I can see the point here. But now I'm troubled: you claim it always asks 
and has always asked password, but it is not what I observe. Either of the 
realms must have something very strange going on. From your reply, it sounds 
like the one which does not ask for passwords is behaving strangely. Only the 
question "why" remains!

BTW, I rather liked the single-sign-on -behaviour of Heimdal, including 
kadmin, but you raised a good point and I'll need to reconsider.

-Juha

-- 
		 -----------------------------------------------
		| Juha Jäykkä, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|
		 -----------------------------------------------

--nextPart1654504.mEmlz1RUzO
Content-Type: application/pgp-signature; nameÂgnature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBILermSqzK5nsyX0kRAk+mAKDvvNKlWW8C9caCoqXx8AmBWK3LDQCfa88f
085srA7J9XoWh1oG6zsvHVUj7j
-----END PGP SIGNATURE-----

--nextPart1654504.mEmlz1RUzO--

Follow-Ups:
- Re: kadmin prompts for passwd
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- kadmin prompts for passwd
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: kadmin prompts for passwd
  - From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>

Prev by Date: Re: kadmin prompts for passwd
Next by Date: Re: kadmin prompts for passwd
Prev by thread: Re: kadmin prompts for passwd
Next by thread: Re: kadmin prompts for passwd
Index(es):
- Date
- Thread