Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!ucsd!ucbvax!agate!shelby!ATHENA.MIT.EDU!jis From: jis@ATHENA.MIT.EDU (Jeffrey I. Schiller) Newsgroups: comp.protocols.kerberos Subject: Re: Questions on Kerberos usage Message-ID: <8909100419.AA01183@STEVE-DALLAS.MIT.EDU> Date: 10 Sep 89 04:19:42 GMT References: <8909081623.AA01464@dip.cs.wisc.edu> Sender: daemon@shelby.Stanford.EDU Organization: The Internet Lines: 39 When we first started converting existing users here at MIT from Unix password authentication to Kerberos authentication we did so over a transition period. In this period we installed a hacked up version of the "passwd" command that would change your password in the local password file *and* register you with the kerberos database. A special server was run on the kerberos database server system that accepted requests on a privileged port (barf ech!). There were two interesting cases: 1) User changing his password for which no kerberos entry existed. 2) User changing his password for which a kerberos entry already existed. Case [2] was handled by getting tickets for the user using the "old password." The request sent to kerberos with the new password was of course encrypted. This use of the passwd program is secure (provided the old password isn't compromised). This is essentially the password changing program in use today. Case [1] was handled by the password program, upon failing to get tickets for the user in question, would get tickets for the user named "default.changepw." This user had a constant password hardcoded into the password changing program. Default.changepw had access (via the special hacked server) to add new people to the database, but could not change the password of an existing user. We made noise publicly asking people to change their passwords (even if they only changed it to the same string!) so that our database would get populated. At some point (more then a year) we cutover our environment to depend on Kerberos authentication. At that point people who didn't change their password were not able to login until they saw a system administrator and got their Kerberos password established. Note: People in this category still surface! -Jeff