Incidentally, I’m not entirely sure we want this to work. We’re concerned about what happens if a system is compromised. That’s a concern because many of our systems are run by grad students. With root you could get a copy of someone else’s key table. At that point you could use it on any machine in the system, and the real user would probably never know.
We use a daemon that allows a user to register that they want to be able to do cron jobs (could be used for other things) on that system. The client can fetch a credential, which is locked to the IP address and not forward able. (The primary intent is to use it with NFS. It doesn’t need forward able credentials.) > On Nov 22, 2019, at 2:04 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On pe, 22 marras 2019, Charles Hedrick via FreeIPA-users wrote: >> Interesting idea, but seems to require a time machine. The kerberos in >> centos 8 is 1.16. I believe Ubuntu 18 is also. > > Actually, I did check of the source code commits in upstream MIT > Kerberos and I attributed it wrongly. '-f' is part of 1.17 release and > '-s' is in 1.16 release. So, it should be in RHEL 8. > >> On Nov 22, 2019, at 1:21 PM, Alexander Bokovoy via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> >> wrote: >> >> ktutil> add_entry -password -p principal -k kvno -f >> >> The key part here is '-f' which fetches a salt from KDC. Otherwise, >> you'd need to use '-s salt' option to specify a salt manually. Option >> '-f' appeared in MIT 1.18, '-s' in MIT Kerberos 1.17. >> > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
