Frank Gruellich <[email protected]> writes: > Greg Hudson wrote:
>> but I believe that would compromise the requirement that people have to >> reenter their passwords in order to run kadmin. > But that's, in fact, my intention. I know, that kadmin is some kind of > critical tool. If security aspects are the only problem with this set > up I'll drop them. I accept that kadmin/admin service is just something > like host/eloy.example.com. The primary practical effect of this restriction is to implement the common security requirement that people re-enter their passwords in order to change their password. If you drop the special configuration for kadmin, you will drop that requirement. If you don't care, then you don't care. :) What I would do if I were you is have your script switch ticket caches, prompt the admin to authenticate and thereby obtain a kadmin/admin ticket using kinit -S, and then use that ticket cache for all your operations. Then, when you're done, kdestroy and switch back to their current ticket cache. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
