On 4/5/23 00:52, Dan Mahoney (Gushi) wrote:
Can neither mit kinit nor the heimdal one supplied with BSD systems by default, not just be forced to a single KDC?
It can't, and the library APIs don't really enable it. A program could use krb5_init_creds_step() or krb5_tkt_creds_step() to compose KDC requests and do its own network transport, but kinit isn't in the business of doing its own network stuff and it doesn't use the _step APIs.
Adding an init_creds option to specify a KDC host would raise some questions. Does the application specify a hostname or an address? Can it specify specifically TCP or UDP or the fallback order? What about https?
At this time I would rather see an externally-maintained KDC probe application using the _step APIs (or for people to keep doing this with faked-up krb5.conf files) than accept the complexity of building this into the MIT krb5 kinit and the API.
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
