[6403] in Kerberos
Re: Thinking of moving to kerberos, lots of questions
daemon@ATHENA.MIT.EDU (Calvin G. Smith)
Sat Dec 23 20:36:32 1995
Date: Sat, 23 Dec 1995 21:17:10 -0500 (EST)
From: "Calvin G. Smith" <cgs@cldc.howard.edu>
To: Derek Atkins <warlord@MIT.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: <199512232220.RAA06415@toxicwaste.media.mit.edu>
On Sat, 23 Dec 1995, Derek Atkins wrote:
> Hi.
>
> > We are considering moving our system from YP to Kerberos. Before I
> > undertake this, are there any pitfalls, etc. to watch out for?
>
> First, remember that kerberos is an authentication system, YP is a
> naming service.
OK, I got that. We don't us YP for anything else but user and group
validation.
>
> > How would I move the password database from the YP files to the Kerberos
> > KDC? Would everyone have to reenter their passwords, or is there a way
> > that it could be done so that it is as transparent as possible to the
> > users?
>
> You cannot directly convert from YP passwords to Kerberos passwords.
> You will need to create each user in the KDC by hand, which does
> require everyone to enter their password. Or, perhaps, you can
> provide a program that will use the YP password and stuff it into the
> KDC (this _can_ be a security hole if left too long). For example,
> you can hack login to first try the KDC for a password, and if that
> fails, try YP. If YP succeeds, then add the password to the KDC.
> This just requires the hacked login program to understand the kadmin
> protocol and have a kadmin password stored inside.
>
drat. I was afraid of that. Any sources out there that I can use?
> -derek
>
-Calvin
---------------------------------------------------------------------
"Information - the currency of the future" cgs@cldc.howard.edu
---------------------------------------------------------------------
