[6402] in Kerberos
Re: Thinking of moving to kerberos, lots of questions
daemon@ATHENA.MIT.EDU (Derek Atkins)
Sat Dec 23 17:29:24 1995
Date: Sat, 23 Dec 1995 17:20:58 -0500
From: Derek Atkins <warlord@MIT.EDU>
To: "Calvin G. Smith" <cgs@cldc.howard.edu>
Cc: kerberos@MIT.EDU
In-Reply-To: "[6401] in Kerberos"
Hi.
> We are considering moving our system from YP to Kerberos. Before I
> undertake this, are there any pitfalls, etc. to watch out for?
First, remember that kerberos is an authentication system, YP is a
naming service.
> How would I move the password database from the YP files to the Kerberos
> KDC? Would everyone have to reenter their passwords, or is there a way
> that it could be done so that it is as transparent as possible to the
> users?
You cannot directly convert from YP passwords to Kerberos passwords.
You will need to create each user in the KDC by hand, which does
require everyone to enter their password. Or, perhaps, you can
provide a program that will use the YP password and stuff it into the
KDC (this _can_ be a security hole if left too long). For example,
you can hack login to first try the KDC for a password, and if that
fails, try YP. If YP succeeds, then add the password to the KDC.
This just requires the hacked login program to understand the kadmin
protocol and have a kadmin password stored inside.
-derek
