afs to k5 conversion keytypes

Sam Hartman hartmans at MIT.EDU
Tue Feb 22 15:33:51 EST 2005

>>>>> "Ken" == Ken Hornstein <kenh at> writes:

    Ken> Thewre is one way ... but it requires you to have your
    Ken> Kerberos Shit Together.

    Ken> Write a custom login program that once you login correctly
    Ken> using an AFS salted key, generates a V5 salted key from that
    Ken> plaintext password and stores it somewhere.  "Somewhere"
    Ken> could be in a V5 database (e.g., you can simply force a
    Ken> password change).  This means not only would you have to know
    Ken> how to program the poorly-documented Kerberos API, but you
    Ken> would have to figure out how to program the
    Ken> even-more-poorly-documented kadm5 API.
krb5_change_password is not any worse to use than the init_creds API.
You can avoid the kadm5 API.

More information about the Kerberos mailing list