transfer users from Kerberos to another authentication system

[Donn Cave]

On Tuesday, December 30, 2003, at 04:53 PM, Gerd Pokorra wrote:
>    Okay, I think I understand why it is not possible to convert the 
> standard
>    UNIX password database to a Kerberos database. I think that is a 
> great
>    disadvantage from Kerberos.
>    But may be I have migrated more as 10000 students to a KDC and in 
> 10 years
>    nobody will talk any more about Kerberos. Is it possible to extract 
> the
>    users from a Kerberos database and to transfer them to another
>    authentication system?

One solution to this (hypothetical) problem is to develop your own
password management software and integrate it with Kerberos and
whatever alternatives you may be considering.  Of course this needs
to be done with a lot of attention to security.

You can probably wait until the need arises to do this, implement
something fairly simple, and then enforce a password expiration
policy if you don't already.  Once the term of that policy has passed,
every valid password has passed through your password management
system and been propagated to all of the authentication databases.

 From there you can use them in parallel.  For example, you'd very
likely have 2 or more KDCs and several UNIX hosts with shadow password
files, and your system will keep all of them up to date.  Or it could
update UNIX passwords for only a few critical accounts that have to be
able to log in without network services.  Each of the KDCs can be a
"master" receiving immediate password updates, unlike the MIT slave
propagation system which can't run very frequently due to resource
considerations.

	Donn Cave, University Computing Services, University of Washington
	donn at u.washington.edu