[5354] in Kerberos
Re: Can V5b5 be used on OSF/1 with C2 security???
daemon@ATHENA.MIT.EDU (Steve Omand)
Thu Jun 8 20:00:24 1995
To: Phillip DeBrito <pdebrito@esu3.esu3.k12.ne.us>
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "06 Jun 95 15:45:23 GMT."
<3r1t6j$473@news.nde.state.ne.us>
Date: Thu, 08 Jun 95 18:44:07 EDT
From: Steve Omand <omand@athena.tay.dec.com>
> To: kerberos@MIT.EDU
> Date: 6 Jun 1995 15:45:23 GMT
> From: Phillip DeBrito <pdebrito@esu3.esu3.k12.ne.us>
> Message-Id: <3r1t6j$473@news.nde.state.ne.us>
> Organization: Educational Service Unit #3
> Sender: usenet@cam.ov.com
> Subject: Can V5b5 be used on OSF/1 with C2 security???
>
> Two quick and easy questions:
>
> 1. Can Kerberos V5b5 be used on a DEC ALPHA running OSF/1 v3.2 with
> enhanced (C2) security turned on?
I have successfully installed our K5 on OSF/1 v3.2 with C2 security.
>
> 2. Can the information from the passwd file (on the above system) be
> used to add users instead of manually typing in each user in kdb5_edit:?
> (I only ask because we have about 4000 users.
>
I think Joe Kovara <joek@cybersafe.com> says it best in his posting
of Date: Wed, 7 Jun 1995 22:19:55 in this newsgroup:
: There are several issues with using the unix password as stored in the
: password file: (1) Again, you can't convert an etc/passwd key to a K4/K5
: key. (2) Even if you have the password as represented by the entry in
: etc/passwd, would you want to use it? Do you really want to take the
: security of Kerberos principal's passwords down to the level of etc/passwd
: (at least for systems without a shadow password file)? The alternative
: is, of course, to have an integrated login/single signon which doesn't
: require the local password file for controlling login. (3) Yes, you can
: save the principal/user id and password on a change password. Some sites
: have taken this approach as a transition strategy. However, I'd suggest
: that you generate the K4/K5 keys on-the-fly, and not store the clear-text
: passwords.
/sao
