On Tue, 2016-12-13 at 14:36 +0000, Dave Love wrote: > Simo Sorce <simo@xxxxxxxxxx> writes: > > > If you really need to automate it because typing a password is too hard: > > cat ~/.mykrbpassword | kinit myusername > > It needs to be automated principally because the password is not > memorable. I assume infrastructure people would rather we don't use the > least secure credentials we can. It is the same password you had to use every day to access services like bodhi, pkgdb, fas, etc... Now all those services are kerberized too (via OIDC IDP middleman) so you can just kinit once and then access all those services w/o sending password around, all in all I think it is a better situation. > There is actually a Kerberos mechanism for storing credentials even if > it somewhat defeats the object, particularly on a shared system. It > would be better if you could forward the GSS identities over ssh, but I > don't see that you can. You can if you authenticate with such an identity, but you can't forward additional identities indeed. But I am not sure why you would need to forward your user credentials to servers normally. Did you copy your certs everywhere before ? I would think the normal case is that people have 1 development machine where they handle packaging. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
