[6191] in Kerberos
Re: Kerberos as alternative to NIS/Yellow Pages
daemon@ATHENA.MIT.EDU (Howard Chu)
Thu Nov 9 05:39:05 1995
To: kerberos@MIT.EDU
Date: 8 Nov 1995 23:13:49 -0800
From: hyc@troy.la.locus.com (Howard Chu)
In article <pmiles.815823501@tdc>, Peter Miles <pmiles@tdc.dircon.co.uk> wrote:
>Hi,
>Is anyone out there using Kerberos as an alternative to NIS/Yellow Pages
>(i.e. for centralised password management).
>I've be interested in hearing comments and experiences.
>One of my main concerns is that I understand that Kerberos uses it's own
>way on encypting passwords on the server. This may be a problem for us,
>as we have 10,000+ users with UNIX crypt()-based passwords, and we are
>not able to reissue them with new passwords. Can Kerberos be set to use
>standard UNIX password encryption (even at the cost of slightly lower
>security)?
>Also, do all applications which check the password file have to be modified,
>or does Kerberos simply replace things like the getpwent() routines?
>I should point out that the centralised password management is more
>important to me than users being able to move from system to system without
>have to re-enter their password.
>Does Kerberos have any equivalent to the "Netgroups" feature of NIS?
I think Kerberos is probably so different from conventional password usage
that this question is almost too abstract to address.
But some important answers - all applications that worry about passwords
need to be modified. There's no crypt-like plugin, no getpwent replacement;
all of the code that deals with verifying a user's identity goes out the door
and gets replaced with whatever appropriate Kerberos calls.
Kerberos' sole purpose is authentication, not authorization. All it lets you
do is convince someone else that you are who you claim to be. The netgroups
feature of NIS implements an authorization policy, which is completely apart
from what Kerberos addresses. To get both features in a single package, you
need something like DCE which specifically attempts to address both
authentication and authorization in a distributed environment.
--
Howard Chu Principal Member of Technical Staff
hyc@locus.com Locus Computing Corporation
