[69] in Info-AFS_Redistribution
Kerberos and UNIX passwd authentication
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Tue Feb 5 03:37:44 1991
Date: Mon, 04 Feb 91 19:00:08 -0500
From: Bill Doster <billdo@ifs.umich.edu>
To: bob@ibmpa.awdpa.ibm.com (Bob Andrews)
Cc: billdo@ifs.umich.edu, info-afs@transarc.com
> Does anyone know of any way to build a UNIX password file, complete
> with encrypted passwords from the kerberos and protection databases
> kept on the AFS servers? What I'd like to do is to switch our
machines
> over to use AFS (Kerberos) as the primary means of password
> maintainance and authentication. The problem is, we have several
types
> of systems for which we don't have a working login program that will
> authenticate with AFS.
The password field in /etc/passwd is generated by running crypt()
on a user's password. The password "field" (Kerberos key) stored
in the Kerberos database is generated by running AFS's string-to-key
function on a user's password.
> We need such a program so we can continue to have a common pw file,
> and use kerberos as the primary means of password authentication.
If you want to generate the /etc/passwd password fields and your
starting point is the Kerberos keys of the Kerberos database
then you are pretty much out of luck. The AFS string-to-key
function is (intentionally) a one-way function (by which I mean
that it's easy to map from a user password to Kerberos key while
it is very difficult to derive the original password from the
Kerberos key). Therefore, to generate the /etc/passwd fields,
you really need to have the plaintext version of the password.
The system sees the plaintext password at two points: all login-
type programs (login, rexecd(), xdm, ftpd) and password-changing
programs (passwd). By intercepting the plaintext password at
one (or both) of these two points, you would be able to re-construct
(or maintain) the password fields of /etc/passwd.
I would suggest that you either:
1. Modify all login programs to ignore the password
field in /etc/passwd and instead consult the
AFS kerberos server.
or
2. Modify your password-changing programs so that they
will update both the kerberos database and the
/etc/passwd password field. If you don't have
the source for the passwd programs, you may be
able to wrap a script around them the does both
although raises numerous security concerns...
I would view option 2 as a work-around until you can move to
option 1 because while it gives you a common password file it
does not offer you any additional security on the non-AFS
machines.
Hope that answers your question,
Bill Doster
IFS Project, Univ. of Mich.
