From owner-freebsd-hackers  Mon Dec 15 21:17:23 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id VAA23525
          for hackers-outgoing; Mon, 15 Dec 1997 21:17:23 -0800 (PST)
          (envelope-from owner-freebsd-hackers)
Received: from phoenix.its.rpi.edu (dec@phoenix.its.rpi.edu [128.113.161.45])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id VAA23510
          for <hackers@FreeBSD.ORG>; Mon, 15 Dec 1997 21:17:16 -0800 (PST)
          (envelope-from dec@phoenix.its.rpi.edu)
Received: from localhost (dec@localhost)
	by phoenix.its.rpi.edu (8.8.8/8.8.7) with SMTP id AAA14483;
	Tue, 16 Dec 1997 00:17:05 -0500 (EST)
	(envelope-from dec@phoenix.its.rpi.edu)
Date: Tue, 16 Dec 1997 00:17:05 -0500 (EST)
From: "David E. Cross" <dec@phoenix.its.rpi.edu>
To: Dan Jacobowitz <drow@drow.net>
cc: hackers@FreeBSD.ORG
Subject: Re: passwd issues with kerberos
In-Reply-To: <Pine.BSF.3.96.971215232734.20324A-100000@mars.abcinternet.net>
Message-ID: <Pine.BSF.3.96.971216001057.14429A-100000@phoenix.its.rpi.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 15 Dec 1997, Dan Jacobowitz wrote:

> 
> <RANDOM_OTHER_QUESTIONS>
> 
> (First of all - my system somehow ended up using MD5 passwords (don't ask)
> and my next project for passwd will be to make it switch to DES passwords.
> That's a site-specific patch more than a FreeBSD issue, although I'll make
> it available once I get it to work.)
> 
> Next - is the DES encryption used by kerberosIV and that used by
> libdescrypt?  If so, it may be possible for me to hack kdb_edit to create
> new principals for all of my users from the passwd databse, once we're
> back in DES mode.

Yes, KerberosIV (asnd Kerberos V by default use DES).  The answer to you
second question is no.  Kerberos IV uses straight DES CBC (actually PCBC).
The DES used in the passwd files is DES with a 'salt' value.  The 'salt'
value (there are 4096 of them) is mixed in with the password at each round
(there are 12 rounds, Kerberos IV only has one).  In short, while both are
DES, there are numerous differences that would make 'converting' the
passwords not possible.  On the plus side of things, you can give poeple
both a kerberos and a local password, instruct them to change, and nuke
their regular password when they do (this is the method I usually
recomend).

> 
> Is there an adduser with kerberos support by any chance?  Adding each one
> is a royal pain - I know there must be a better tool than kdb_edit out
> there somewhere.
> 
yes... using kdb_edit is just plain evil... use 'kadmin'  (requires you
start kadmind, which you should anyway).  There is a good section on this
in the FreeBSD Handbook.