It it possible to make kinit ask Keychain for password and not me?
Asked
Active
Viewed 1.3k times
3 Answers
29
kinit on Mac OS X now (since 10.9, possibly earlier) has built-in support for saving the password to the keychain via the --keychain argument, accomplishing the same thing as paul's answer.
Authenticate using kinit --keychain; the password will be saved upon successful authentication:
kinit --keychain
# or
kinit --keychain bob@MY.REAL.COM
Subsequent kinit invocations (which don't require the --keychain argument) will automatically get the saved password from your keychain instead of prompting you to enter it.
Miles
- 445
15
Actually it is possible. Let us say you have an account "bob" on the realm "MY.REAL.COM" with password "mypasswd". Then in a Terminal type on one single line
security add-generic-password -a "bob" -l "MY.REAL.COM (bob)" -s "MY.REALM.COM" -w "mypasswd" -c "aapl" -T "/usr/bin/kinit"
This will create an item in your default Keychain named "MY.REALM.COM (bob)" with your Kerberos credentials and kinit it will be authorized to access it. You can add as many -T "/fulpath/program" switches as you want, each will give access to the specific program to use your kerberos credentials. For example -T "/Applications/Mail.app/Contents/MacOS/Mail" will add access for Mail.app.
More details with man security.
After that kinit bob@MY.REAL.COM will not prompt you for a password but will get it from the keychain.
-2
With only kinit, this is impossible.
You'd have to write or have someone else write a separate interface that uses the Keychain Services API to store and access your passwords.
surfasb
- 22,896