afs to k5 conversion keytypes
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Feb 22 15:27:06 EST 2005
>To my knowledge there is no way to convert keys like you're wanting to do.
>My suggestion, if it's possible in your environment, would be to implement
>a password expiration policy with a deadline of a few months and let
>everyone gradually change their password.
Thewre is one way ... but it requires you to have your Kerberos Shit
Together.
Write a custom login program that once you login correctly using an AFS
salted key, generates a V5 salted key from that plaintext password and
stores it somewhere. "Somewhere" could be in a V5 database (e.g., you
can simply force a password change). This means not only would you
have to know how to program the poorly-documented Kerberos API, but you
would have to figure out how to program the even-more-poorly-documented
kadm5 API.
I have seen other variations on this, but it's all basically, "Get the user
to enter in a plaintext password to some login-like program, validate it,
and then generate a V5 key from it". Sadly, the intersection of people
who have their Kerberos Shit Together and people who actually _need_ this
functionality is currently the null set.
--Ken
More information about the Kerberos
mailing list