Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.9. I just added a host key to a machine with ktadd, and the kvno got incremented! What just happened? Next Document: 2.11. I can't use kadmin to talk to the admin server of another realm. What am I doing wrong? See reader questions & answers on this topic! - Help others by sharing your knowledge To do this, it's important to understand that to authenticate to Kerberos, one of two things has to happen: 1. A human has to enter in a secret at some point. 2. A secret has to be stored somewhere on a computer. You can play some funny games with either of these two things, but it basically boils down to #1 or #2. Now, to truly run kadmin unattended, you need to store the secret key of a privileged user somewhere on the computer that will run kadmin. That means that if the system is ever compromised, the attacker could gain access to this secret key and use it to do nasty things to your Kerberos database. You need to decide if you want to open yourself up to this risk. That being said .... here's how you do it. 1. Create the admin principal you wish to use. 2. Put the key for the admin principal somewhere on your machine. 3. Use kinit to acquire a Kerberos ticket for the principal from the keytab, and run kadmin with the -q to perform whatever tasks you wish. Here's an example of a shell script that does this. #!/bin/sh # PATH=$PATH:/path/to/kerberos; export PATH KRB5CCNAME=/tmp/krb5cc_root_$$; export KRB5CCNAME trap kdestroy 0 1 2 3 5 15 kinit -S kadmin/admin -k -t /path/to/keytab admin_principal kadmin -c $KRB5CCNAME -q "delprinc foo" exit 0 User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 2.9. I just added a host key to a machine with ktadd, and the kvno got incremented! What just happened? Next Document: 2.11. I can't use kadmin to talk to the admin server of another realm. What am I doing wrong? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: