[4153] in Kerberos
Re: Adding Users en mass
daemon@ATHENA.MIT.EDU (Asokan)
Tue Nov 8 19:48:44 1994
To: kerberos@MIT.EDU
Date: Tue, 8 Nov 1994 17:39:17 GMT
From: nasokan@math.uwaterloo.ca (Asokan)
In article <39o5o9$7rh@merlin.nando.net>, Charles Hall <chall@nando.net> wrote:
>Is there an easy way to import a list of users and passwords into Kerberos? I tried
>just piping output to kadmin, but it doesn't seem to accept the passwords from a pipe.
>Am I also correct that there is no way to force Kerberos to show me the passwords
>it has in clear text? That at least might help me debug the pipe problem. I found
>"build_pwfile" on the dist. but I can't figure out what it does (even after reading the
>source!).
>
We use a locally hacked tool called "krap" to create principals
en masse and assign random passwords. The random passwords
are stored on a secure machine. Another tool called
"init_kpasswd" is available on a small set of "trusted"
multi-user machines. It talks to a daemon called "init_kpasswdd"
on the machine that has the random password file, gets the random
initial password that is assigned to the invoker and uses it
to let the invoker change their password. All this is for v4.
We still haven't migrated to v5 yet. You can write a krap
equivalent by beating up on the kadmin code. If you want
the functionality of init_kpasswd[d] as well, they are fairly
trivial client/server code.
If you are interested in looking at my code, I might be able
to to package it up and send it to you. Let me know.
Another option (which is what we tried first) is to write
a front end to kadmin in expect. We found expect to be slow
at that time (3 years ago). Newer versions of expect may be faster.
BTW, appended is a locally written minimal man page for build_pwfile.
- Asokan
-----------------------------------------------------
NAME
build_pwfile - build dbm files from a given list of words.
SYNOPSIS
build_pwfile <file>
DESCRIPTION
build_pwfile would read <file>, containing a list of bad
passwords, and would build appropriate dbm files. The files
would be left under the kerberos database directory (by
default /kerberos). kadmind(8) would consult these dbm files
when a principal wants to change its password. Bad pass-
words are disallowed by kadmind.
Remember that if your kerberos administration server is an
architecture that does not support the newer dbm, you'll
have to touch the /kerberos/bad_passwd{.pag,.dir} files
before they can be used.
FILES
/kerberos/bad_passwd{,.pag,.dir}
SEE ALSO
kadmind(8), kerberos(1)
AUTHOR
Guess: Theodore Y. Ts'o, MIT Distributed Computing and Net-
work Services
BUGS
This man page was written at UW.
MIT Project Athena Kerberos Version 4.0 1
