At 5PM +0200 on 24/05/13 you (Dirk Jahnke-Zumbusch) wrote:
[I wrote:]
I didn't quite mean that: yes, that is 'passwordless' in a sense, but you still have to have typed a password into kinit fairly recently.
What I meant was that with 2.2 it's finally possible to set a list of krb5 principals for imap which is different from the list in .k5login. This makes it possible to create special-purpose principals, which can have their keys put in a keytab, which can then log on as an ordinary imap user.
perhaps I misunderstand you, but something like
kinit -k -t /path/to/keytab
authenticates w/o the need of typing a password.
Yes, but that means putting your ordinary user's key into a keytab, and since that key can (probably) be used for a whole lot more than just accessing IMAP, this isn't exactly very safe. The advantage of using a dedicated principal is that you can give it the minimum rights it needs to do its job, making the keytab much safer. You can also disable just that principal on the KDC if it gets compromised without locking the user out altogether.
Ben