From owner-freebsd-security  Fri Jul 12 08:47:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA20586
          for security-outgoing; Fri, 12 Jul 1996 08:47:12 -0700 (PDT)
Received: from kechara.flame.org (kechara.flame.org [192.80.44.209])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA20580
          for <freebsd-security@freefall.freebsd.org>; Fri, 12 Jul 1996 08:47:03 -0700 (PDT)
Received: from zhaneel.flame.org (zhaneel.flame.org [192.80.44.210]) by kechara.flame.org (8.7.5/8.6.9) with ESMTP id LAA22005; Fri, 12 Jul 1996 11:46:37 -0400 (EDT)
Received: (from explorer@localhost) by zhaneel.flame.org (8.7.5/8.6.9) id LAA07921; Fri, 12 Jul 1996 11:46:27 -0400 (EDT)
To: "Sexton, Robert" <sextonr.crestvie@squared.com>
Cc: freebsd-security@freefall.freebsd.org
Subject: Re: Password mechanisms.
References: <2979895B0187397C@mg01a.mhs.squared.com>
From: Michael Graff <explorer@flame.org>
Date: 12 Jul 1996 11:46:26 -0400
In-Reply-To: "Sexton, Robert"'s message of Thu, 11 Jul 1996 14:27:16 -0400
Message-ID: <v6logpxynh.fsf@zhaneel.flame.org>
Lines: 19
X-Mailer: Gnus v5.2.33/Emacs 19.31
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

"Sexton, Robert" <sextonr.crestvie@squared.com> writes:

> I realize that kerberos has been integrated into BSD4.4.  Where does that 
> leave the old fashioned /etc/passwd file?  I recently locked myself out 

Too bad there are two flaws in using Kerberos currently:

(1) there is no way to disable it for specific accounts.  It always
    tries Kerberos first, then local password entry, if there is one.

(2) There is no way to specify remote realms for a user.  For example,
    I might want spirit@MIT.EDU to be the realm to use for local account
    spirit, not spirit@FLAME.ORG.

(3) It integrated Kerberos 4, which is going out eventually.

IMHO, get Cygnus's Kerberos 4 or 5, and call that that.

--Michael