[6185] in Kerberos
Re: How to make V5 and V4 work together
daemon@ATHENA.MIT.EDU (Jonathan Chinitz)
Wed Nov 8 18:25:38 1995
Date: Wed, 8 Nov 1995 18:07:05 -0400
To: "Theodore Ts'o" <tytso@MIT.EDU>
From: jec@isoft.com (Jonathan Chinitz)
Cc: milman@austin.ibm.com, kerberos@MIT.EDU, jiewang@lieland.stanford.edu,
Mark_Sherman@transarc.com
At 5:23 PM 11/8/95, Theodore Ts'o wrote:
[stuff deleted]
>However, without backwards compatibility at the DCE security server
>level, it still means that you have to force people to maintain separate
>passwords for the AFS ka server and the DCE security server, thus
>destroying single-signon, at the very minimum. And if there's no way to
>import user's keys from the AFS ka server to the DCE security server,
>then the you force the site to go through the user password
>initialization process for all of their existing users. For a site with
>20,000 users, this is not something which is undertaken lightly.
>
Correct me if I'm wrong but I was under the impression that due to
different string-to-key functions that the kaserver and Kerberos KDC could
not share keys either, no? If this is true then it is not just DCE that is
causing you a problem here.
In any event, if you do have a common KDC that is V5 based for your K
clients and AFS clients then the DCE security server can serve that
function just as well. Furthermore, the DCE security API does support the
ability to insert a DES key, assuming you have the right salt.
-Jonathan
Jonathan Chinitz E: jec@isoft.com
IntelliSoft Corp. URL: http://www.isoft.com
P.O. Box 2645 V: (508) 635-9070
Acton, MA 01720 F: (508) 635-9210
