Russ Allbery wrote: > Frank Gruellich <frank.gruell...@navteq.com> writes: >> Greg Hudson wrote: >>> but I believe that would compromise the requirement that people have to >>> reenter their passwords in order to run kadmin. >> But that's, in fact, my intention. I know, that kadmin is some kind of >> critical tool. If security aspects are the only problem with this set >> up I'll drop them. I accept that kadmin/admin service is just something >> like host/eloy.example.com. > The primary practical effect of this restriction is to implement the > common security requirement that people re-enter their passwords in order > to change their password. If you drop the special configuration for > kadmin, you will drop that requirement. If you don't care, then you don't > care. :)
Oh, damn, that's a true impact... > What I would do if I were you is have your script switch ticket caches, > prompt the admin to authenticate and thereby obtain a kadmin/admin ticket > using kinit -S, and then use that ticket cache for all your operations. > Then, when you're done, kdestroy and switch back to their current ticket > cache. Then I'll prefer that way. Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems and Networks Duesseldorfer Strasse 40a 65760 Eschborn Germany Phone: +49 6196 77756-414 Fax: +49 6196 77756-100 USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob, Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos