[6826] in Kerberos
Re: Using DCE secd as a Kerberos 5 KDC (fwd)
daemon@ATHENA.MIT.EDU (David Lemson)
Wed Mar 6 00:51:50 1996
To: jec@isoft.com (Jonathan Chinitz)
Date: Tue, 5 Mar 1996 23:38:51 -0600 (CST)
Cc: kerberos@MIT.EDU
In-Reply-To: <v02120d06ad62bc2fb92a@[199.33.247.8]> from "Jonathan Chinitz" at Mar 5, 96 11:56:52 pm
From: lemson@uiuc.edu (David Lemson)
Reply-To: lemson@uiuc.edu
Jonathan Chinitz writes:
>
> >Along these lines, I am very interested in the ability to use a MIT V5
> >KDC as a secd. Rich Salz alluded to this possibility in his talk on
> >new OSF DCE features at DECORUM last week. Can anyone confirm that
> >we'll be able to use our existing KDC (with those 90,000 passwords
> >that 90,000 people already know) with a DCE cell (in 1.2.1, according
> >to Rich)? Perhaps we'll have to upgrade to a later beta release of
> >V5 KDC?
> >
> I think you mis-interpreted Rich's talk: You can use a DCE secd as your
> Kerberos KDC, not the other way around. The DCE secd has a special thread
> that listens for udp/88 rewquests, while the rest of the DCE clients talk
> RPC to the secd on transient ports.
I was afraid that I had misinterpreted it. Not good news.
>
> As I indicated in a seperate note, the Betas that I believe are currently
> workable in this scenario are Beta 3, 5 & 6.
>
> And, yes, you will be able to load 90K accounts (principals) into the DCE secd.
>
So the next question is: is there any way we will be able to take
the encrypted strings from our current beta 3 KDC and stuff them
into the DCE security server? The aim is not to make all the people
change their passwords.
In case there is no way to do this, one thought I had, and this is
supposedly included in the AFS-DFS migration kit, is to have a V5
client that also knows how to talk DCE RPC that authenticates via V5,
then has special privilege to set someone's DCE security password. We
could keep the binary safe on a trusted machine, and tell people that
they must run this command on that machine before they're able to use
DCE.
Then, as long as our V5 clients work with the DCE server (we're
willing to wait until 1.2.1 to do this so that it's clean), we're
still OK.
Any holes in this?
--
David Lemson
University of Illinois Computing and Communications Services Office
lemson@uiuc.edu (217) 244-8833
