[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Kerberos 5 and easing the transition



    Derrick> You can't convert a password file to krb5 directly, but you can as you say
    Derrick> modify login to insert passwords. It's dangerous though. How do you
    Derrick> authenticate the users? If so, what's to stop someone from getting what would
    Derrick> be an add admin key from wherever login gets it and if not how do you stop just
    Derrick> any process from doing it? This is obviously environment dependant but it's
    Derrick> something to consider

    Derrick> -D


Sometimes, user convenience and scalability takes precedence over
security considerations.  We had several thousand users to convert,
and the requirement was that they should not know or care that they
were using kerberos.  Obviously, manually showing each one how to
change their kerberos password was not an option.  We would have
preferred not to implement what we called the "trojan horse xlock",
but we felt we had no choice.  Yes, it was decomissioned months ago.

Isaac



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []