[200] in Info-AFS_Redistribution
Re: Question in re: AFS vs MIT kerberos
daemon@ATHENA.MIT.EDU (Richard Basch)
Wed Jul 10 15:11:59 1991
Date: Wed, 10 Jul 91 14:21:06 -0400
To: Bruce McKenney <mckenney@rpi.edu>
Cc: info-afs@transarc.com
In-Reply-To: Bruce McKenney's message of Wed, 10 Jul 91 12:29:55 -0400,
From: Richard Basch <basch@MIT.EDU>
MIT Kerberos and AFS kaserver both offer a Kerberos style service. The
only difference is how the user's passwords are encoded (the
string_to_key function is different). One can operate AFS against a
standard MIT Kerberos key database, and it is also possible to have the
kaserver provide other Kerberos services. It really comes down to which
one do you wish to use and how do you wish to manage the databases.
Solutions exist for both.
At MIT, with about 15,000 active accounts and registered passwords in
the MIT Kerberos database, it made more sense for us to continue using
our database. (We are not running standard code because we have other
enhancements, but that is not really an issue; there exist solutions
that don't require AFS source).
Basically AFS service authenticates the user by using DES decryption of
the "token". As long as the server keys are identical between the AFS
servers and the authentication servers (kaserver or Kerberos), there is
not a problem. string_to_key only plays a role in the initial
conversion of a password to a DES key, and is never used after that.
Both authentication servers hand you back an identity token encrypted in
the string_to_key of your password, and it is up to you to successfully
decrypt it to be able to use it. That is why the only difference is in
the password verification.
-Richard
