Kerberos kinit enter password without prompt

Question

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the \"password flag\". I am not sure how

Answer 1

There are 2 popular Kerberos client packages: MIT and Heimdal. Heimdal is what comes with MacOS, but MIT is the reference implementation. On Heimdal clients, you can use the --password-file flag:

$ kinit --password-file=~/mypasswordfile test@REALM

This avoids leaking the password to the process list as it, "reads the password from the first line of filename."

You can alternatively do

--password-file=STDIN

and pipe it in, ex cat password_file | kinit --password-file=STDIN test@REALM.

NOTE: This avoids leaking the password via the ps output.

On MacOS you can also use the keychain option. You can check the type of client you have with kinit --version. If the --version flag is unrecognized, you most likely have a MIT client; the Heimdal clients seem too recognize the flag and report a version.

Note that Ubuntu switched the default from a Heimdal implementation to the MIT one between 14.04 and 16.04. Also, generally speaking, the two packages conflict with one another.