[142] in Info-AFS_Redistribution
Re: authentication database vs. /etc/passwd ...
daemon@ATHENA.MIT.EDU (Craig_Everhart@transarc.com)
Fri Jun 14 12:12:24 1991
Date: Fri, 14 Jun 1991 11:44:37 -0400 (EDT)
From: Craig_Everhart@transarc.com
To: henry@ads.com, Info-AFS@transarc.com, Marybeth_Schultz@transarc.com
In-Reply-To: <UcK=_XD0BwwFE0ngh9@transarc.com>
The problem can probably be re-cast in terms of ways that admins can
make the change be less disruptive for their community.
In a similar problem, where one changes the encryption method for
passwords, the well-understood technique for doing this is:
(a) First, try the given cleartext password under the new encryption
scheme. If it works, great.
(b) Failing that, try the given cleartext password under the old
encryption scheme. If it works there, great. Optionally, in
addition, do one or more of:
(b1) Set the stored password for the account to be the result of
encrypting it with the new encryption scheme, so future versions
of step (a) will work.
(b2) Remind the user to issue some command to set their password
and get it converted to the new encryption scheme.
Eventually, of course, you turn off step (b) entirely, with some advance
warning.
I expect that some similar scheme can be deployed for your users as you
try to phase in some new authentication mechanism. Actually, I believe
that AFS login allows for moderately graceful installation. Its two
phases are (I think):
(1) Try the given cleartext password as an AFS password. If that's
successful, authenticate to AFS and allow access to the workstation.
(2) Failing that, try the given cleartext password as an /etc/passwd
match. If that's successful, print a warning message about not
being authenticated, and allow unauthenticated access to the
workstation.
Users are thus encouraged to switch to using their AFS password to log
in. Eventually, you can remove most or all (well, maybe not for root)
encrypted passwords from the /etc/passwd file, so that users use only
their AFS passwords.
Is that more like an answer to your question?
Craig
