[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Kerberos 5 and easing the transition



>  In the "pam modules under development", there is the following entry
>  
>       pam_kerberos: Kerberos authentication scheme; 
>       Theodore Y. Ts'o <tytso@mit.edu> 
>       Another implementation has been written for Kerberos 4 authentication 
>       Derrick J Brashear <shadow+@andrew.cmu.edu> 

The krb4 module (and an afs module that uses it) are done. I have a true AFS
module i need to finish, and if after that the krb5 module isn't coming along I
figure on working on that.


>  Is there any tool or PAM module to aid in the transition from the UNIX
>  password format to Kerberos 5 passwords?  I'm thinking about writing a PAM
>  password module that adds the password to the kerberos database if no
>  kerberos password already exists, then marking the user as changed and
>  deleting their UNIX password in /etc/passwd. 

You can't convert a password file to krb5 directly, but you can as you say
modify login to insert passwords. It's dangerous though. How do you
authenticate the users? If so, what's to stop someone from getting what would
be an add admin key from wherever login gets it and if not how do you stop just
any process from doing it? This is obviously environment dependant but it's
something to consider

-D



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []