>>>>> "Frank" == Frank Burkhardt <[EMAIL PROTECTED]> writes:
Frank> Hi everyone, is it possible to get the TGT of an arbitrary
Frank> principal without changing it's password? Maybe there's a
Frank> 'ktadd'-option which prevents modifying the principal's
Frank> key? I do have full control over the realm.
It's possible from a theoretical standpoint but no code is included to
do this. There's sort of a strong belief that doing so would make it
too easy to abuse administrative privilege in a realm. Perhaps more
importantly it might lead to application architectures that depend on
being able to become other users--in effect depending on being able to
do something like the su command on Unix. Such application
architectures tend to be the wrong way of using Kerberos.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
