Skip Menu |
 

History Show all quoted textShow full headers
# Thu Mar 27 19:23:08 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Ticket created
Subject: mismatch between client keytab default principal for kinit and GSS-API
Download (untitled) / with headers
text/plain 543B
When client keytabs are used to automatically obtain initiator credentials for the GSS-API, we use
the heuristic of picking the first krb5 principal in the keytab as the GSS identity to use for the
initiator. However, 'kinit -k -i', though it uses the client keytab, defaults to attempting to get
credentials for host/[hostname]. This latter functionality is of questionable utility, and the
inconsistency between the two scenarios has potential for confusion. We should probably switch
the kinit behavior to match the gssapi behavior.
# Thu May 22 17:34:37 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Given to kaduk@MIT.EDU (Benjamin Kaduk)
# Thu May 22 17:34:37 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Status changed from 'new' to 'review'
# Thu May 22 17:34:37 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
From: kaduk@MIT.EDU
Subject: git commit
Download (untitled) / with headers
text/plain 848B

Do not default to host/ for client keytabs

When the normal (acceptor) keytab is being used to obtain initial
credentials, it is reasonable to use the default hostbased service
principal (host/fully.qualified.localhost.domain) when no client
principal is given. This behavior is not very reasonable when
the default client keytab is being used, as host/ credentials are
not normally client credentials.

Make kinit -i match up with the GSS-API behavior when client keytabs
are in use, using the name of the first entry in the keytab when
no name is explicitly given.

https://github.com/krb5/krb5/commit/6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e
Author: Ben Kaduk <kaduk@mit.edu>
Commit: 6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e
Branch: master
src/clients/kinit/kinit.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)
# Thu May 22 17:34:38 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
From: kaduk@MIT.EDU
Subject: git commit
Download (untitled) / with headers
text/plain 424B

Test that kinit -k -i picks the intended principal

Prior to ticket 7892 it would use the default host/ principal
when no principal was given on the command line.

https://github.com/krb5/krb5/commit/44adf120d8548b9bb43a380e6f1889840c4a4a3d
Author: Ben Kaduk <kaduk@mit.edu>
Commit: 44adf120d8548b9bb43a380e6f1889840c4a4a3d
Branch: master
src/tests/t_keytab.py | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
# Tue Aug 12 18:27:38 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'
# Tue Aug 12 18:27:38 2014 tlyu (Taylor Yu) - Version_Fixed 1.13 added