Your case is a good example. How do you allow principal creation with no random keys? I hope this means with no password as well. Also with PKINIT, it is window's specific. right? And still user needs to have the password set first and then PKINIT comes to picture. right? As admin we want to create the users via a process and when user tries to login to our system, it is asked to set its password and our admin process will set the password in kerberos for them. But it seems kerberos cannot be a place holder for username without password!? And if somehow it is how does it handle when it comes to authentication? I see its chpassword needs old and new password to be specified. Even if it lets you to say the old password is null and does not return an error, then it is a security hole, since anybody with that username and null password can authenticate!? Thank you.
Ken Raeburn wrote: > An administrator could change the password with kadmin's "cpw" command. > > This is roughly the use case I had in mind: At a school, a registrar > creates accounts (including Kerberos principals) for use by the > students in a class, with names constructed like <class > identifier><sequence number>, e.g., c101_12, with random keys (or, if > we allowed it, with no keys). The realm is shared across a bunch of > classes. The instructors for the class are given the ability to > change passwords for accounts, but not to create new accounts. After > the first class, each student meets with the instructor or teaching > assistants, gets assigned an account id, and picks a password which is > set on the principal then and there by the instructor. Probably not > the most convenient way of doing it, compared to, say, having the > registrar assign initial passwords and require that the passwords be > changed immediately, but it would work. > > > Another no-password case would be PKINIT; if the initial tickets are > always acquired via PKINIT, there's no need for a password. > > Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
