Subject: Re: pseudo-shadowing of passwords with ypserv?
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: Johan Danielsson <joda@pdc.kth.se>
List: tech-security
Date: 10/12/1998 14:37:37
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> We're a big Kerberos/AFS shop, but we still use YP.

We're just pulling a (periodically updated) master password file from
AFS. This gives you a delay before all passwd-files are updated, but
that isn't a big problem as I see it - it's a lot better than having
to fight with YP or Hesiod.

> I don't quite understand what people mean by "users don't understand
> Kerberos". Sure, they don't, but they don't understand 95% of the
> things they use, and that generally doesn't stop them :-) For
> example, they don't understand YP, but they use it just fine.

I agree. Kerberos has a bad reputation of beeing hard to understand,
and impossible to install, but the former isn't a problem as long as
there is *someone* that understands how it works (which isn't too
difficult), and the latter is a lot better nowadays (I can understand
that people was a bit frustrated with the original MIT Kerberos 4
dists).

[about DCE]

> It's a big nasty mess, and I've been staying away from it.

Hear! Hear! :-)

/Johan