[6444] in Kerberos
Re: Performance of CNS vs. AFS kaserver?
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Jan 5 17:19:14 1996
Date: Fri, 5 Jan 1996 16:05:58 -0600
From: Doug Engert <DEEngert@anl.gov>
To: kerberos@MIT.EDU
Cc: <shadow+@andrew.cmu.edu>, <jgm+@CMU.EDU>
In-Reply-To: <wkvMOe200WCQMzVFtq@andrew.cmu.edu>
Derrick J. Brashear writes:
> Excerpts from netnews.comp.protocols.kerberos: 5-Jan-96 Re: Performance
> of CNS vs. .. by John Gardiner Myers@CMU.
> > At CMU, we've modified those two programs to know about both
> > string-to-keys and to prefer the MIT one. As a result, we have a
> > kaserver with most of the keys encoded in the MIT string-to-key.
> > Unfortunately, we can't distribute the modified clients because they
> > are encumbered by Transarc ownership.
We at ANL also use the AFS kaserver as the KDC. (Both Derrick and John
were very helpful with the project. Thanks again.) We have a modified
version of the MIT kpasswd which tries both string_to_keys when asking
for the old password, and then uses the MIT string_to_key with the new
password to get the new key. It then sends the this to a modified MIT
kadmind which is running on the same machine as the kaserver. The
kadmind issues as AFS kas setkey command to save it in the AFS
database. Once your password is changed once, you can then use
unmodified MIT kpasswd client as well to change passwords.
The code can be found at ftp://achilles.ctd.anl.gov/pub/kerberos.v4
See the README file there.
> Of course, you could complain to Transarc to incorporate it. I know they
> have the patches:-)
We tried that back in 1993. They never did figure out what we were
talking about then either. (If they did, it would be much easier to
convert from AFS to DCE/DFS now.)
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
