On 12/14/2016 09:19 AM, Dave Love wrote: > Kevin Fenzi <ke...@scrye.com> writes: > >> On Tue, 13 Dec 2016 14:36:06 +0000 >> Dave Love <d.l...@liverpool.ac.uk> wrote: >> >>> Simo Sorce <s...@redhat.com> writes: >>> >>>> If you really need to automate it because typing a password is too >>>> hard: cat ~/.mykrbpassword | kinit myusername >>> >>> It needs to be automated principally because the password is not >>> memorable. I assume infrastructure people would rather we don't use >>> the least secure credentials we can. >> >> I can't speak for others, but the thought of putting your fas password >> in plain text in some start up file makes me cry. > > Yes, but if people can read it and it only has owner access they could > have stolen the certificate, possibly can steal your ccache, and bets > are off. A keytab isn't plain text, but isn't encrypted; it's used as > "kinit -t <keytab>" with Heimdal and something similar with MIT. > However, I now can't remember whether you need kadmin access to populate > it, and don't know if that's available. >
You do not; you can manipulate a keytab in your local user space with `ktutil`
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org