Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 2.10. How do I run kadmin from a shell script unattended?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Business Photos and Profiles ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.9. I just added a host key to a machine with ktadd, and the kvno got incremented! What just happened?
Next Document: 2.11. I can't use kadmin to talk to the admin server of another realm. What am I doing wrong?
See reader questions & answers on this topic! - Help others by sharing your knowledge
To do this, it's important to understand that to authenticate to Kerberos,
one of two things has to happen:

  1. A human has to enter in a secret at some point.
  2. A secret has to be stored somewhere on a computer.

You can play some funny games with either of these two things, but it
basically boils down to #1 or #2.

Now, to truly run kadmin unattended, you need to store the secret key of a
privileged user somewhere on the computer that will run kadmin. That means
that if the system is ever compromised, the attacker could gain access to
this secret key and use it to do nasty things to your Kerberos database. You
need to decide if you want to open yourself up to this risk.

That being said .... here's how you do it.

  1. Create the admin principal you wish to use.
  2. Put the key for the admin principal somewhere on your machine.
  3. Use kinit to acquire a Kerberos ticket for the principal from the
     keytab, and run kadmin with the -q to perform whatever tasks you wish.
     Here's an example of a shell script that does this.

     #!/bin/sh
     #
     PATH=$PATH:/path/to/kerberos; export PATH
     KRB5CCNAME=/tmp/krb5cc_root_$$; export KRB5CCNAME
     trap kdestroy 0 1 2 3 5 15

     kinit -S kadmin/admin -k -t /path/to/keytab admin_principal
     kadmin -c $KRB5CCNAME -q "delprinc foo"
     exit 0

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA