On Wed, 16 Apr 1997, Ken Hornstein wrote:

> Kerberos doesn't solve the password database problem.  Until recently, we
> were using AFS Kerberos; now we're using Kerberos 5.  In both cases we
> still use YP to distribute our password database.  Mind you, the password
> field for our users is set to "-K-", so we don't distribute the actual
> _passwords_ themselves.  Some sites use Hesiod to distribute password
> information instead of YP; I don't know much about it, so I can't comment
> on it.
> 
I believe that hesiod could easily be used for this. We use it heavily at
my workplace for things like mail and amd. I unfortunately haven't had 
the chance to sit and talk at length w/ the guy who installed it all (my
boss) so I can't be of much help technically....sorry. I would say on general
principle that hesiod would be the better choice though.

> Using Kerberos just as a central password database doesn't get you that
> much in the way of security (it gets you some, but not a lot).  Using
> Kerberos _clients_ everywhere so your passwords don't travel the net
> in cleartext is where the big advantage of Kerberos comes in.  Whether or
> not you want to go that route is up to you.
> 
true true...kerberos (or any other authentication system for that matter)
does NO good if you cleartext your password everywhere...

rob

------------------------------------------------------------------------------
"Off the keyboard, through the CPU, | deker@digex.net 
out the transceiver, down the rj45  | Systems Engineer
line, across the router, through    | 
the Hub, out the gateway.           |  
        Nothing but net."           | 
-----------------------------------------------------------------------------