[OpenAFS-devel] Kerberos Authentication - kinit using STDIN
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 16 Feb 2011 16:02:42 -0500
--On Wednesday, February 16, 2011 03:21:37 PM +0000 Pedro Rodrigues
<pedro.rodrigues@fct.unl.pt> wrote:
> In Linux Heimdal client it is possible to pass the password to kinit via
> STDIN: "echo $password | kinit $user@$realm --password-file=STDIN" .
> However, to our best knowledge it is not possible to do the same in
> Windows and Mac OS X.
> We also need to execute kinit command on behalf of the user since there
> are several users which username is of the form "name.surname".
> Therefore, we need to authenticate them with principal name
> "name/username" due to the AFS pts principal conversion.
OK, but why do you need to collect the password and pass it along, rather
than simply allowing kinit to collect the password directly from the user.
If you are actually using a shell script such as you describe above, there
are all sorts of opportunities for trouble caused by passwords containing
things you didn't expect. And, unless you're _very_ careful, you're
risking exposing the password to other users on the machine, in a variety
of ways.
If you really must collect the password yourself, consider doing so in a
compiled program from which you can call the Kerberos API. There are
functions available for obtaining tickets and/or verifying user login,
given a principal name and password.
Finally, this is really a Kerberos question, not something related to the
development of OpenAFS. You might get better response asking on the
kerberos@mit.edu mailing list instead of here.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Carnegie Mellon University - Pittsburgh, PA