Date: Tue, 16 Dec 1997 00:17:05 -0500 (EST) From: "David E. Cross" <dec@phoenix.its.rpi.edu> To: Dan Jacobowitz <drow@drow.net> Cc: hackers@FreeBSD.ORG Subject: Re: passwd issues with kerberos Message-ID: <Pine.BSF.3.96.971216001057.14429A-100000@phoenix.its.rpi.edu> In-Reply-To: <Pine.BSF.3.96.971215232734.20324A-100000@mars.abcinternet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Dec 1997, Dan Jacobowitz wrote: > > <RANDOM_OTHER_QUESTIONS> > > (First of all - my system somehow ended up using MD5 passwords (don't ask) > and my next project for passwd will be to make it switch to DES passwords. > That's a site-specific patch more than a FreeBSD issue, although I'll make > it available once I get it to work.) > > Next - is the DES encryption used by kerberosIV and that used by > libdescrypt? If so, it may be possible for me to hack kdb_edit to create > new principals for all of my users from the passwd databse, once we're > back in DES mode. Yes, KerberosIV (asnd Kerberos V by default use DES). The answer to you second question is no. Kerberos IV uses straight DES CBC (actually PCBC). The DES used in the passwd files is DES with a 'salt' value. The 'salt' value (there are 4096 of them) is mixed in with the password at each round (there are 12 rounds, Kerberos IV only has one). In short, while both are DES, there are numerous differences that would make 'converting' the passwords not possible. On the plus side of things, you can give poeple both a kerberos and a local password, instruct them to change, and nuke their regular password when they do (this is the method I usually recomend). > > Is there an adduser with kerberos support by any chance? Adding each one > is a royal pain - I know there must be a better tool than kdb_edit out > there somewhere. > yes... using kdb_edit is just plain evil... use 'kadmin' (requires you start kadmind, which you should anyway). There is a good section on this in the FreeBSD Handbook.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971216001057.14429A-100000>