From owner-freebsd-security Wed Jun 14 12:30:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id A8C7137BD10 for ; Wed, 14 Jun 2000 12:30:41 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id MAA03515; Wed, 14 Jun 2000 12:33:49 -0400 (EDT) (envelope-from wollman) Date: Wed, 14 Jun 2000 12:33:49 -0400 (EDT) From: Garrett Wollman Message-Id: <200006141633.MAA03515@khavrinen.lcs.mit.edu> To: Tushar Patel Cc: Cy.Schubert@uumail.gov.bc.ca, freebsd-security@FreeBSD.ORG Subject: Re: Kerberos for POP, radius, ftp etc In-Reply-To: <200006141451.JAA08402@ecpi.com> References: <200006141417.e5EEHi431392@cwsys.cwsent.com> <200006141451.JAA08402@ecpi.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > So, how do people change the authentication process to kerberos without > involving the end user? Most places use a registration procedure. For example, in the Athena Computing Environment, there are registration servers which have write access to the Kerberos KDC; new users log in using a special account and prove their identity using an out-of-band mechanism. (We don't do anything like that here at LCS.) One of the hacks that used to run here went in the opposite direction: if a user was able to authenticate with Kerberos, their local password would be changed automatically to be the same as their Kerberos password. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message