Posted on 07-14-2015 09:57 AM
We're getting ready to deploy KerbMinder in our environment. The first time KerbMinder needs to renew the user's ticket it prompts for the user's password, whereupon it can save the password in the user's Keychain.
I'm being asked if there is a way to avoid having KerbMinder prompt for the user's password, perhaps by reading the user's password out of their Keychain. I can't see how this would be possible without essentially hacking the Keychain to steal the user's password, but wanted to run it by the folks here.
Alternatively, is there a way accomplish this without KerbMinder in a way that does not interact with the user?
Posted on 07-14-2015 10:04 AM
Not possible. If it were easy to extract the login keychain's password, it wouldn't be very secure. And we would never need to delete user's login.keychain's when they've forgotten their old password and it doesn't unlock. (but we do because its not possible (or at least not feasible) to crack it)
You could script something that would use either Applescript or cocoaDialog to ask the user for their password at login, explaining it will only be used to set up KerbMinder (or whatever you want to mention here) and then perhaps use that captured password to set up the keychain entry. I don't know much about KerbMinder or what it stores, so I can't help there, but it may be possible that way.
Posted on 07-16-2015 02:23 PM
@stevehahn what is being asked it not possible AFAIK.. the below is from the projects github.
The password can be saved to the keychain so all subsequent renewals can use it. Should the saved password get out of sync with the domain — e.g. after the user changes their password — the keychain will automatically remove the old saved password and the user will be prompted to enter one.