[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin prompts for passwd

To: heimdal-discuss@sics.se, Juha Jäykkä <juhaj@iki.fi>
Subject: Re: kadmin prompts for passwd
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Fri, 16 May 2008 16:48:10 -0700
Cc: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
In-Reply-To: <200805162313.26160.juhaj@iki.fi>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <200805162124.21333.juhaj@iki.fi> <191D40AF-9A9E-46F7-8B56-29BB5EBD6380@ece.cmu.edu> <200805162313.26160.juhaj@iki.fi>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

There have been some buggy versions recently that did use the ccache  
for kadmin access.  AFAIK this is fixed now, partly because some of us  
complained.  Pretty sure that 1.1 and 0.7.x don't use the ccache.

In other words, "that's not a feature, that's a bug!".  ;-)

On May 16, 2008, at 1:13 PM, Juha Jäykkä wrote:

>> Er, that's how it's supposed to work and how it has always worked.   
>> If
>
> Nope. That's not how it used to work.
>
>> you really do want to put your KDC at risk in the name of  
>> convenience,
>> use "kinit -S kadmin/admin foo/admin" to get a ticket that will  
>> enable
>
> And I definitely never did this (this is on another realm):
>
> foo@host 23:07:32 ~> kdestroy
> foo@host 23:07:32 ~> kinit foo/admin
> foo/admin@TFY.UTU.FI's Password:
> foo@host 23:07:44 ~> kadmin get bar
>            Principal: bar@REALM
> etc.
>
>> password-less kadmin (and likewise enable it for anyone who can get  
>> at
>> your ticket file --- which is why kadmin prompts).
>
> Ok. I can see the point here. But now I'm troubled: you claim it  
> always asks
> and has always asked password, but it is not what I observe. Either  
> of the
> realms must have something very strange going on. From your reply,  
> it sounds
> like the one which does not ask for passwords is behaving strangely.  
> Only the
> question "why" remains!
>
> BTW, I rather liked the single-sign-on -behaviour of Heimdal,  
> including
> kadmin, but you raised a good point and I'll need to reconsider.
>
> -Juha
>
> -- 
> 		 -----------------------------------------------
> 		| Juha Jäykkä, juolja@utu.fi			|
> 		| home: http://www.utu.fi/~juolja/		|
> 		 -----------------------------------------------

References:
- kadmin prompts for passwd
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: kadmin prompts for passwd
  - From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
- Re: kadmin prompts for passwd
  - From: Juha Jäykkä <juhaj@iki.fi>

Prev by Date: Re: kadmin prompts for passwd
Next by Date: =?big5?B?eaG6tHi0pKbtt8eryKThplez5qFBpc6576R1qOOzzK2rrW4hcaG/?=
Prev by thread: Re: kadmin prompts for passwd
Next by thread: =?big5?B?eaG6tHi0pKbtt8eryKThplez5qFBpc6576R1qOOzzK2rrW4hcaG/?=
Index(es):
- Date
- Thread