afs to k5 conversion keytypes

Ken Hornstein kenh at
Tue Feb 22 15:27:06 EST 2005

>To my knowledge there is no way to convert keys like you're wanting to do.  
>My suggestion, if it's possible in your environment, would be to implement 
>a password expiration policy with a deadline of a few months and let 
>everyone gradually change their password.

Thewre is one way ... but it requires you to have your Kerberos Shit

Write a custom login program that once you login correctly using an AFS
salted key, generates a V5 salted key from that plaintext password and
stores it somewhere.  "Somewhere" could be in a V5 database (e.g., you
can simply force a password change).  This means not only would you
have to know how to program the poorly-documented Kerberos API, but you
would have to figure out how to program the even-more-poorly-documented
kadm5 API.

I have seen other variations on this, but it's all basically, "Get the user
to enter in a plaintext password to some login-like program, validate it,
and then generate a V5 key from it".  Sadly, the intersection of people
who have their Kerberos Shit Together and people who actually _need_ this
functionality is currently the null set.


More information about the Kerberos mailing list