Kerberos Passwords

[Brian Davidson]

If the other application can't be kerberized, one option would be to 
force users to use a central password change web application.  The web 
application would handle the unencrypted username and password and 
would change the kerberos password and then set the password in your 
application.  The only way I know of to keep things synchronized is to 
make that your *only* password change mechanism.  Change the kerb 
password first because the KDC will reject some bad passwords.

If the other application has bad security, such as storing cleartext 
passwords in a table in some SQL database, then I would strongly advise 
against this.  Especially if it's one of those apps where a single 
database account is shared...

We're looking at having to perform such a synchronization for some of 
our centralized applications which just won't play nice with kerberos, 
for which a "single password" environment is desired.

If it's a homegrown application, look into using kerberos 
authentication.  It is very likely that kerberos is the more secure 
approach...

Brian

On Jul 21, 2004, at 11:15 AM, Otis, Troy wrote:

> Hi,
>
> I am part of a development team that currently uses kerberos as part 
> of an application that provides services to clients.  We want to 
> incorporate another application which has it's own verification 
> seperate from kerberos.  What we want to be able to do is take the 
> user ids and passwords from the kerberos database and replicate them 
> into the new application.  I have a script to insert the userids and 
> passwords into the new application but don't know how to get them out 
> of kerberos.  I have root and the kerberos master key on the server 
> but have no idea how to decrypt the user passwords.
>
> Any help would be great.
>
>
> Thanks,
>
> Troy