voided if you can find a different approach.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ackage is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org)
ls, and doesn't really matter if you're logging on to the system
with local credentials and then getting Kerberos credentials later.
(This is mostly relevant for work computers that use central Kerberos to
authenticate all access, computer labs that have multiple users, and
similar sorts of ca
If you're only doing incremental replication and you think
something may have gone wrong, you can always do a full replication, which
guarantees that the slave is identical to the master.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
__
only exception would be if somehow Kerberos
could be convinced to use the same hashing algorithm as LDAP, but I don't
think that's the case. (The client and the KDC have to agree on a hashing
algorithm, so this isn't a simple thing to do.)
--
Russ Allbery (ea...@eyrie.org)
er points, though.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
rmor. People who are working in this area may find
its source code useful to look at, although I think there have been
improvements since then and what it does may no longer be best practice.
https://github.com/rra/pam-krb5/blob/main/module/fast.c
--
Russ Allbery (ea.
Simo Sorce writes:
> On Fri, 2023-02-24 at 16:27 -0800, Russ Allbery wrote:
>> Essentially everything that I don't like about GSSAPI is a direct
>> consequence of the fact that it's a generic authentication protocol
>> that in theory (although essentially never in pra
with TLS in the secure transport business. But
that's a whole different can of worms since TLS is very wedded to X.509
certificates and there are a bunch of very good reasons to not want to use
X.509 certificates for client authentication in a lot of situations.)
--
Russ Allbery (ea...@
that code myself, and I don't agree.
> It does pay a price, but if all you need is encrypted sessions, then
> it's simple.
I think we have very different definitions of simple.
--
Russ Allbery (ea...@eyrie.org) <https://ww
nd all the complexity with
major and minor status codes makes the equivalent GSS code complicated and
annoying.
GSS pays a significant price for being a generic mechanism with a
negotiation method, and the API does not hide that price from the
programmer.
--
Russ Allbery (ea...@eyrie.org)
n.
(I have implemented something akin to this before, and that's how I did
it.)
> Forging a cross-realm TGT would definitely be preferable, although I'm
> not sure if it's doable with libkrb5.
It should be doable, but you may have to use really low-level functions to
duplicate what kimpersonate
sk
(again, the GSS service is functionally equivalent to a KDC, so this is
just the KDC database in another format), and then your GSS service can
generate TGTs through normal libkrb5 calls using the keytab and doesn't
have to do anything special.
--
Russ Allbery (ea...@eyrie.org)
s your krb5.conf, but the error message is about your kdc.conf
(/etc/krb5kdc/kdc.conf). It has its own separate supported_enctypes
setting.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list
hough it's been a few
years.
> I guess one what would be to create principals for the cnames.
Right, yeah, that. Similar to what we had to do with LDAP servers.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
eps kerberos. If you have something like
> ldap deployed, that can help, but we don't like the idea of every system
> call like ls -al phoning an LDAP server.)
Yes, at Stanford we disabled public key and required GSS-API for most
things.
--
Russ Allbery (ea...@eyrie.org) &l
used to produce, though, so maybe this is a different
problem.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
l of that out of my
brain. But maybe that was a different problem, since, looking at the
code, I think I used a prompter that rejected all password prompts, which
is sort of the opposite problem from the problem you're having.
--
Russ Allbery (ea...@eyrie.org) <https:
ght, it feels like the root problem is the combined
password mechanism that overloads the password field to carry unrelated
additional information, but unfortunately that may be forced by the number
of protocols that are entirely unable to deal with additional PAM prompts.
--
Russ Allbery (ea...@eyrie.org)
that the
passed-in password can be sent after the FAST negotiation and therefore
re-prompts internally? I'm not sure I entirely understand the logic flow
here.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
cost of more complexity in the PAM module).
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
t; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.o
the krb5_get_init_creds_password attempt?
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
. (I can give you example client-server if you
> need it.)
You may also be interested in remctl, which is designed to do this sort of
thing.
https://www.eyrie.org/~eagle/software/remctl/
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
__
d via GitHub Actions here:
https://github.com/rra/pam-krb5/blob/master/.github/workflows/build.yaml
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https
prompting and the prompt control options like use_first_pass.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
bly
completionist as a hobby (although be aware that it's a purely hobby
project at this point), but they would need to include changes to the ci
directory to set up the KDC and RADIUS server appropriately so that the
test suite could do a proper end-to-end integration test.
--
Russ Allbery (ea...@eyrie.
ng Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.o
(I
never used LDAP, but the same principle mostly applies) and then wrapping
my own protocol around whatever that operation wanted to return.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list
ported to 4.9 in Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@m
tained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <https://www.
the randomly-generated key, but... it's randomly generated.
So if there is any realistic chance of success in this, you have much
larger problems.
(I don't have off-the-cuff answers to your other questions.)
--
Russ Allbery (ea...@eyrie.org) <
t already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
gt;data, resp[pam_prompts].resp, len + 1);
prompts[i].reply->length = (unsigned int) len;
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Russ Allbery writes:
> Public announcement: 2009-03-30
Mutter. Obviously, this should be 2020-03-20.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.
Russ Allbery writes:
> Russ Allbery writes:
>> Public announcement: 2009-03-30
> Mutter. Obviously, this should be 2020-03-20.
Or even 2020-03-30, a mistake that I have made every time I have written
that date.
--
Russ Allbery (ea...@eyrie.org) <https://www.e
t;
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org)
kinit isn't affected is that it doesn't use a responder
> callback.)
Yes, that makes perfect sense in retrospect. I should have started with
gdb before speculating.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
_
Greg Hudson writes:
> On 3/8/20 8:01 PM, Russ Allbery wrote:
>> I think the reason why I am confused by this is that Heimdal uses the
>> prompter to pass along informational messages such as "your principal
>> is about to expire," and I wasn't sure how MIT Kerb
request: (empty)
1583711787.103204: AS key determined by preauth: aes256-cts/1BD3
1583711787.103205: Decrypted AS reply; session key is: aes256-cts/8D62
1583711787.103206: FAST negotiation: available
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
kinit only prompts
once, but I think that's because kinit never calls krb5_verify_init_creds.
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailma
ield. I think
it's all or nothing: either you can list all principals or you can't. The
man page for kadm5.acl seems to support that:
l [Dis]allows the listing of all principals or policies
--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>
_
ctions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable. There may be a bit
of delay due to NEW processing.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org)
Grant Taylor writes:
> On 1/8/19 6:22 PM, Russ Allbery wrote:
>> Internet use is very common in the Kerberos community.
> Does this include client <-> KDC?
Yes. A lot of higher education institutions that have used Kerberos for
many, many years have their KDCs direct
t I'd probably invest my effort in
FAST via anonymous PKINIT to solve that problem instead of network
tunnels.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
http
the correct
machine). In an ideal world, the machine is launched with some existing
credentials (like a TLS private key) that are installed on it securely,
and then you use those credentials to bootstrap other credentials it
needs, such as keytabs.
--
Russ Allbery (ea..
Grant Taylor writes:
> On 01/07/2019 10:53 AM, Russ Allbery wrote:
>> The standard solution for this is FAST, which protects the initial
>> authentication against this attack. (You do need some other credential
>> to set up the FAST tunnel, but you can use anonymo
a ll Kerberos n00b
> should read? (I've been following How-Tos and gotten a lot to work.)
I don't have a good answer for this, unfortunately.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerbe
t needs from that.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
how good the support for that is
for all protocols and older versions.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
I saw your other follow-up, but just to close out a few things with this
thread
Kristen Webb writes:
> On Tue, Sep 25, 2018 at 3:11 PM Russ Allbery wrote:
>> It should only do this if the ticket is going to expire sooner than two
>> minutes before the next wake-up period,
ably want to split those two
operations.
Unfortunately, k5start doesn't currently have a mode of operation in which
it only runs the aklog command but doesn't try to renew tickets if they
aren't about to expire.
--
Russ Allbery (ea...@eyrie.org) <
ftware/wallet/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://w
ftware/remctl/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery
Giuseppe Mazza <g.ma...@imperial.ac.uk> writes:
> I want to install a new kerberos slave running on Ubuntu16.04. I would
> like to prevent the service krb5-admin-server running on the slave.
systemctl disable krb5-admin-server
--
Russ Allbery (ea...@eyrie.org)
Mark Pröhl <m...@mproehl.net> writes:
> On 04/16/2018 05:51 PM, Russ Allbery wrote:
>> ... Clients aren't going to generally all try to get a ticket at the
>> same time, due to ticket caching, so that scales to a lot of clients.
> I have only seen JAVA/JAAS
lks are interested).
Ah, good, I'm glad my 100 qps number was off in the direction that I
thought it would be. I didn't want to overpromise, but KDCs are *really
fast*.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
__
ent always provides that
encrypted copy of the key back in subsequent protocol exchanges.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ent to automatically retry
the master if an authentication fails against the replica, which can be
useful for authentication immediately after a password change if you're
not using incremental replication.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagl
ly better than two.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
really short
ticket lifetimes, or you have some other unusual situation.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
for this memory management error. It's an obvious error in
context and was probably left over from a code refactoring when developing
the sudo feature. I hope to include better automated memory management
testing in the next release of remctl after 3.14.
--
Russ Allbery (ea...@eyrie.org) <h
listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
es sense -- I just don't think it's something that currently exists
in the KDC's permission model, at least so far as I can tell. Although
it's entirely possible I'm missing something.
--
Russ Allbery (ea...@eyrie.org) <http:/
d want to leave service tickets enabled in that
situation.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Chris Hecker <chec...@d6.com> writes:
> Ah. Is there any way to prevent a service princ from being able to get
> tickets?
> As in, if one of my service keytabs is compromised, can I prevent those
> princs from being used like a normal user princ?
I think you want -allow_tix.
et for that principal.
It doesn't have any effect on authenticating as that principal.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
stable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit
l in libsystemd quietly does nothing, successfully,
if the system wasn't booted with systemd.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit
not notify systemd of startup: %s", strerror(-status));
Then you can be a native systemd daemon and systemd will know exactly when
the KDC is ready to respond to connections, which will resolve various
race conditions when some other system service depends on the KDC for
startup.
--
Russ All
rg/~eagle/software/krb5-sync/
It doesn't use LDAP to store the password, only the account status. It
uses the Kerberos password change protocol to store the password. So that
won't be immediately helpful for a generic LDAP server.
--
Russ Allbery (ea...@eyrie.org) <http:/
y model.
You're correct that the default value of the noaddresses configuration
option is true, largely because address-locked tickets tend to cause tons
of problems in modern network environments that often involve NAT.
--
Russ Allbery (ea...@eyrie.org) <
Russ Allbery <ea...@eyrie.org> writes:
> Charles Hedrick <hedr...@rutgers.edu> writes:
>> * A kerberized service where the user registers that they want to be
>> able to do cron jobs on a given machine.
>> * A kerberized pam module that calls the same service and
n-root users and root, but
not if you don't trust the machine.
The point of the TPM is that you can't exfiltrate the keys, even if you
have root, only perform on-line operations.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
__
If you go down that path, I'd probably
try to figure out some way to do PKINIT using a TLS certificate stored in
the TPM. I'm not aware of anyone who has already done that work, but it
would be a pretty interesting project.
--
Russ Allbery (ea...@eyrie.org)
en doing
for you versus just using the PKI and using PKINIT to get Kerberos
tickets. There are probably some practical uses for introducing the extra
layer of complexity, but it's not obviously necessary.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
_
the
> same.
You have to explicitly set the realm in your authentication call if it
doesn't match the default realm. There's no way that Kerberos can figure
this out from the keytab since cross-realm authentication is valid in
Kerberos, so you may well want to be using a key from one realm to
ge is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <h
push
stuff around.)
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
weren't, since KEYRING has nice security properties, but it's relatively
new and the rest of the world has definitely not adapted yet.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list K
ferred ticket cache format and then adjusted
KRB5CCNAME in the user's environment. Unfortunately, there doesn't appear
to be any way of preventing the ticket cache from being temporarily
written to /tmp.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
__
rotected web sites became
inaccessible due to all the replay cache rejections.
I think modern replay caches may no longer have this collision issue?
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Ker
of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
e know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mail
dows are usually also done with AD
configuration. (Disclaimer: I've never done the AD side of this setup
myself.)
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
afeguard is that meaningful. But it does
depend on your threat model. It's pretty good against a local admin who
decides to casually snoop on things but won't be bothered to upload a new
tmux binary, since a bit of obscurity will be enough to deter that sort of
attacker. It's probabl
is, from a security standpoint, kind of
pointless. It's just security via obscurity.
If you are using SELinux, it might be easier to just not give root access
to the tmux sockets.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
enticated copy of a dump and loading it on the
other end.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
That's effectively what kprop/kpropd do.
Just copying the database file runs the risk of copying a corrupt database
because you happened to catch it in the middle of a write, as you note.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
___
tained using Git; see the instructions on the above
page to access the Git repository.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.o
eature requests not already listed
in the TODO file.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
gle/software/remctl/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbe
using openldap with the ldap backend.
I assume you've already looked for daily cron jobs? It's common for LDAP
servers to take a nightly LDIF dump for backups, for example, which would
cause symptoms like this.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
directly,
since I believe all of that is effectively gated on being domain-joined.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ions.
You may find:
http://www.eyrie.org/~eagle/software/krb5-sync
useful, although it only does passwords. I believe there is a krb5-adsync
package somewhere based on that which also creates accounts.
--
Russ Allbery (ea...@eyrie.org)
Thanks for the reply!
Greg Hudson <ghud...@mit.edu> writes:
> On 09/05/2015 01:57 AM, Russ Allbery wrote:
>> Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25
>> 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/anonym...@eyrie.org for
>> krbtgt/
. And I'm not sure why it wouldn't work, particularly
since it was previously working just fine (with the same server software
version, although an older MIT Kerberos client version).
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~ea
Russ Allbery <ea...@eyrie.org> writes:
> I had working PKINIT in my test MIT Kerberos realm using certificates
> issued by Heimdal, but now all attempts to authenticate with PKINIT are
> just failing with the following error in the KDC syslog:
> Sep 4 22:48:34 mithrandir krb5
then do your krb5_get_init_creds_password call as normal
with a NULL password. If the KDC offers PKINIT, the Kerberos libraries
should try PKINIT with the identity and anchors configured there.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
___
1 - 100 of 809 matches
Mail list logo