[136] in pc-kerberos
Re: Upcoming potential changes in KRBV4*.DLL
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Aug 3 14:03:51 1995
Date: Thu, 3 Aug 1995 13:57:02 -0400
From: Theodore Ts'o <tytso@MIT.EDU>
To: Derrick J Brashear <shadow@DEMENTIA.ORG>
Cc: "Theodore Ts'o" <tytso@MIT.EDU>, "Paul B. Hill " <pbh@MIT.EDU>,
pc-kerberos@MIT.EDU
In-Reply-To: Derrick J Brashear's message of Thu, 3 Aug 1995 11:23:01 -0400 (EDT),
<Pine.SUN.3.90c1.950803111722.13230E-100000@johnstown.andrew.cmu.edu>
Date: Thu, 3 Aug 1995 11:23:01 -0400 (EDT)
From: Derrick J Brashear <shadow@DEMENTIA.ORG>
Some vendor has shipped Kerberos based on v4p10, which has only the MIT
string_to_key in it. The kpasswd they ship uses change_pw2. I get my
hands on a kadmind and make it do this, telling it to use the Transarc
string_to_key. You change your password, generating an MIT key. kadmind
then generates a Transarc key and stores that. You try to authenticate.
You lose.
Err.... *why* would you ever want to make your kadmind only store the
Transarc string_to_key()? The Transarc string_to_key() was, and is, a
mistake. An understandable mistake, given the histories of Vice, AFS
and CMU, perhaps, but a mistake nonetheless.
So yes, you could change your kadmind to use the Transarc string_to_key
no matter what, but that would be stupid.
There are only two modes of operation for the kadmind that make any
sense at all:
* Use the DES key passed by the kpasswd client (no matter what
string_to_key algorithm was used)
* Use the text password passed by the kpasswd client to generate
a DES key using the MIT string_to_key algorithm. (In
the case where you are converting to the standard
string_to_key algorithm.)
Which mode of operation a site administrator chooses to use is up to him
or her. If a site administrator chooses the second, and there are
clients that only support the Transrc string_to_key(), then users will
lose. But that will be true no matter which solution you choose.
Hence, I continue to believe the solution which I outlined to be the
cleaner way of accomplishing your goal.
- Ted
