On Tue, 2010-01-26 at 06:58 -0500, Rainer Laatsch wrote: > If a request is securely accepted (e.g. otp), is there a method to > synthetically grant a krb5.keytab / KRB5CCNAME w/ krbtgt to a user > by kadmin.local? Could be a help for batch jobs or login purposes.
If you do "ktadd -k filename -norandkey principalname" in kadmin or kadmin.local, it will spit out a keytab for that principal into filename. The security consequences of such infrastructure should be pretty clear, but in case they aren't: this service would have the ability to impersonate any user to any other service, and should therefore be treated with the same sensitivity as the KDC itself. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
