[335] in Hesiod
Re: Hesiod 2.0.0
daemon@ATHENA.MIT.EDU (Russell McOrmond)
Sun Dec 1 13:10:35 1996
From: Russell McOrmond <russell@flora.ottawa.on.ca>
To: ghudson@MIT.EDU (Greg Hudson)
Date: Sun, 1 Dec 1996 13:09:17 -0500 (EST)
Cc: russell@flora.ottawa.on.ca, hesiod@MIT.EDU
In-Reply-To: <199612010308.WAA08727@cutter-john.mit.edu> from "Greg Hudson" at Nov 30, 96 10:08:41 pm
> > 5) I have done some local enhancements to hes_getpwname() in order
> > to implement a shadow password arrangement. I am using this for
> > things such as the CYRUS IMAPD server for keeping passwords. Is
> > anyone interested in this patch? Would it be possible for something
> > like this to be included in the distribution?
>
> Who gets to look at the shadow password information? Even if you
> assume secure DNS, I don't think this could be done securely. (We
> don't recommend putting encrypted passwords in Hesiod password
> information; we recommend using Kerberos.)
The idea is much simpler than what Kerberos would be used for. I have
a situation where I want to have 'Name information' (IE: This userID is
for this person's account) that needs to be distributed, but password
information that does not need to be distributed.
I am using the 'shadow passwords' to allow a hes_getpwname() to get the
'Finger info' and other stuff from HESIOD, while obtaining the password
from a separate file (In this case, conforming to the specification used
by the APACHE DBM file format) that is then not distributed.
Kerberos is a better solution for distributing the passwords, but is
also more complex than what many people might need. It's not a simple
#define in order to make use of Kerberos, while it is to make use of the
modified hes_getpwname() call.
--
Russell McOrmond, Consultant: <http://www.flora.org/russell/work/>
(Internet/Intranet server admin,CGI programming,Web,Email,News, ...)
Community Volunteer: <http://www.flora.org/> <http://www.ox.org/ox/>
Linux: Where do you want to go tomorrow?
