[OpenAFS-devel] Kerberos Authentication - kinit using STDIN

[Jeffrey Hutzelman]

--On Wednesday, February 16, 2011 03:21:37 PM +0000 Pedro Rodrigues 
<pedro.rodrigues@fct.unl.pt> wrote:

> In Linux Heimdal client it is possible to pass the password to kinit via
> STDIN: "echo $password | kinit $user@$realm --password-file=STDIN" .
> However, to our best knowledge it is not possible to do the same in
> Windows and Mac OS X.
> We also need to execute kinit command on behalf of the user since there
> are several users which username is of the form "name.surname".
> Therefore, we need to authenticate them with principal name
> "name/username" due to the AFS pts principal conversion.

OK, but why do you need to collect the password and pass it along, rather 
than simply allowing kinit to collect the password directly from the user. 
If you are actually using a shell script such as you describe above, there 
are all sorts of opportunities for trouble caused by passwords containing 
things you didn't expect.  And, unless you're _very_ careful, you're 
risking exposing the password to other users on the machine, in a variety 
of ways.

If you really must collect the password yourself, consider doing so in a 
compiled program from which you can call the Kerberos API.  There are 
functions available for obtaining tickets and/or verifying user login, 
given a principal name and password.

Finally, this is really a Kerberos question, not something related to the 
development of OpenAFS.  You might get better response asking on the 
kerberos@mit.edu mailing list instead of here.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Carnegie Mellon University - Pittsburgh, PA