I had this problem when I needed to set up a way for users to change or reset their Kerberos passwords. I didn't want to let most of the users have shell access to the Linux boxes and I really did not want accounts with a generic password that never gets changed. That pretty much eliminated kpasswd.
I ended up writing a CGI application that runs on an internal web server and connects to the admin server via an ssh session. The ssh session is configured to start up a small agent program that receives a username and password then uses kadamin to change or reset the password. The program runs as a user with only sufficient privileges to set a password on an existing account and change its expiration time. "ADmciL" in kadm5.acl It seemed kind of a clumsy way to do it and the code is not everywhere pretty. Still, after I hammered out the wrinkles in permissions and ssh keys, it has worked pretty well. So it is doable but takes some work. On 03/04/2015 06:32 PM, arun elango [Masked] wrote: > > ---------------------DoNotTrackMe--------------------- > This email is forwarded from a MASKED EMAIL you created using DoNotTrackMe. > (https://dnt.abine.com/help). > IF THIS IS SPAM, CLICK HERE TO BLOCK: > https://dnt.abine.com/#/block_email/b4426...@opayq.com/fwd_u0kja...@opayq.com > > Want to shop safely and privately online? Go Premium: > https://dnt.abine.com/?pk_campaign=maskHeader#premium > -------------------------by Abine------------------------- > > > Hi Ben, > > Thanks. > > Yes , Kpasswd can be used . But it requires users interaction in the > console , I am looking for other methods wherein users dont need to enter > their passwords in the console. i.e pass the parameters to the kpasswd > console programatically . > > However , I heard from one of the members in the mailing list that it is > not possible to avoid user interaction. See below for our interaction. > > Regards, > AK > > > arun elango <arunelang...@gmail.com> writes: > >> Is it possible to use kpasswd without user interaction i:e not having >> user to enter their password in the console. > > Oh, that's actually a legitimate cause of that error message. Okay. > > It's not possible to use *kpasswd* without user interaction, but it's > definitely possible to use the underlying call to change a user's password > without interaction. Look at kadmin, particularly kadmin change_password. > > kerberos@mit.edu can help further with that. > > On Thu, Mar 5, 2015 at 10:12 AM, Benjamin Kaduk <ka...@mit.edu> wrote: > >> On Wed, 4 Mar 2015, arun elango wrote: >> >>> Hi Ben Kaduk, >>> >>> Thanks for the information. >>> >>> Is there any other method to implement change password other than the >>> Kpasswd utility for Windows. >> >> kpasswd.exe is a way to do it, and the MIT Kerberos.exe ticket manager >> also provides password-change functionality. I don't know of a different >> one, offhand. >> >> -Ben >> >> P.S. any reason to remove the list from the CC? It's generally good to >> archive questions and answers so that they can be found in the future. >> >> -Ben >> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Stephen Carville Apprentice Cook and Bottle Washer | LERETA, LLC 1123 Park View Drive | Covina, CA 91724 626-339-5221 X1326 scarvi...@lereta.com ================================================= laeti vescimur nos subacturis ================================================= ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
