> How do you allow principal creation with no random keys? I hope > this means with no password as well.
At the moment, I don't think it's possible in the MIT code. But with PKINIT, we may want to change that. > Also with PKINIT, it is window's specific. right? Um, no, but MIT isn't shipping an implementation yet. > And still user needs to have the password set first and then PKINIT > comes to picture. right? At least in theory, no; if you present a certificate and proof that you have the key, you get your Kerberos credentials. (Well, subject to a bunch of other constraints, but not involving having a separate Kerberos key or password.) > As admin we want to create the users via a process and when user > tries to login to our system, it is asked to set its password and > our admin process will set the password in kerberos for them. But > it seems kerberos cannot be a place holder for username without > password!? And if somehow it is how does it handle when it comes to > authentication? If you created a placeholder account and set the password later, you'd need to set the password via some privileged process (such as having an administrator do it with their credentials), ideally after using some other verification system (like looking at the user's government-issued identification). My point was that different administrators might have different privileges, with some being able to set passwords on certain previously-created accounts but not allowed to create them; then the "placeholder" functionality would make sense, but there'd be little use for a password or even a random key (with the approach I described). > I see its chpassword needs old and new password to be specified. > Even if it lets you to say the old password is null and does not > return an error, then it is a security hole, since anybody with > that username and null password can authenticate!? You'd have to have the right privileges to set the password on a principal without having the old password. It wouldn't be allowed for random users. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
