Difference between revisions of "Projects/What does God need with a password"
Revision as of 16:50, 13 September 2010
kinit -C with apologies to Star Trek.
The administrator of a Kerberos database has access to all user keys within that database. This is sufficient to impersonate any user. Today, no convenient user interface is provided for logging in as a given user without changing that user's passowrd. This project proposes to add a -c (cheat) option to kinit. If this option is supplied, then the key will be extracted from the database rather than prompting for a password. This option requires that kinit be run on a KDC with read access to the Kerberos database and stash file.
Kinit will register and use the kdb keytab in order to access the database. It will actually contact the KDC process and go through th efull AS-REQ path. The advantage of this is that any authorization data is generated. The disadvantage is that users who require pkinit or hardware preauth cannot be logged in using this mechanism. As a result, kinit will link against libkdb5 and libkadm5srv.