Kerberos kinit enter password without prompt

2019-01-19 10:58发布

问题:

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html

and noticed that it says I could use the "password flag". I am not sure how to do this tho?

Can I enter the password for kinit without it prompting me to?

For example currently,

If I type in:

kinit test@REALM

I get response:

test@REALM's password:

and I have to enter the password. Is there anyway I can input something like kinit test@REALM password so it doesn't prompt me?

Thanks!

回答1:

Use a keytab for that principal!



回答2:

Also you can

echo "password" | kinit username



回答3:

You might be able to depending on exactly which kinit you are using, but it's an extremely bad idea. Anyone on that system can read the process table and ARGV for any command and thus your password is exposed.

Most implementations of kinit do not support this for exactly this reason.

It's not completely clear are you on a Window's box or a Unix one?

Either way, the correct way to handle this problem is to use a keytab.

Keytabs store the key for a principal ( not the password ). In kerberos the password is used to generate a more random key that is actually used in the cryptographic exchange. The command for creating/manipulating keytabs is usually

ktutil


回答4:

From feldversuch's answer which was removed for being "too terse" (LOL)

kinit --password-file=~/mypasswordfile" test@REALM

Avoids leaking it to the process list!

You can also do

--password-file=STDIN

and pipe it in, ex cat password_file | kinit --pasword-file=STDIN test@REALM