[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Kerberos 5 and easing the transition

   Date: Wed, 12 Feb 1997 08:56:39 -0800 (PST)
   From: Nick Kralevich <nickkral@ferrari.autobahn.org>

   We are in the process of converting from a UNIX flat password list
   (/etc/passwd) to Kerberos 5.  Here are the million dollar questions:

   In the "pam modules under development", there is the following entry

	pam_kerberos: Kerberos authentication scheme; 
	Theodore Y. Ts'o <tytso@mit.edu> 
	Another implementation has been written for Kerberos 4 authentication 
	Derrick J Brashear <shadow+@andrew.cmu.edu> 

   Has this module been released yet?  

No; and to be honest, I haven't started it yet.  I've been meaning to,
(and for quite a while!)  but life has been too busy lately.  If someone
beats me to it, that's fine, although I still plan to get this done as
soon as I have the time, though.

   Is there any tool or PAM module to aid in the transition from the UNIX
   password format to Kerberos 5 passwords?  I'm thinking about writing a PAM
   password module that adds the password to the kerberos database if no
   kerberos password already exists, then marking the user as changed and
   deleting their UNIX password in /etc/passwd. 

The dangerous part is how you "add the password to the Kerberos
database".  This implies administrative access to the Kerberos server,
either via a srvtab key on every single workstation where you plan to
deploy this (and you'd better not let that srvtab key get stolen!), or
some other scheme. 

You could make this scheme a bit more secure by stashing a full database
of all of the /etc/passwd entries on the Kerberos server, and then used
a scheme where you created PGP key for the Kerberos server, and then had
the PAM module encrypt the username and password using the Kerberos
server's public key, and then sent the encrypted password to the
Kerberos server where it would be decrypted, checked against the
/etc/passwd database, and then entered into the Kerberos database.

There are other ways that you could do this, but the bottom line is that
you have to be very careful, because there's many different ways of
screwing things up.

						- Ted

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []