[OpenAFS] Moving users to a new cell [was: (no subject)]

Derrick J Brashear shadow@dementia.org
Tue, 11 Dec 2001 10:55:32 -0500 (EST)

On Tue, 11 Dec 2001, Mitch Collinsworth wrote:

> On Tue, 11 Dec 2001, Derrick J Brashear wrote:
> > You could do something with a magic login program which understood the old
> > cell name and "changed" the password, but it's evil.
> Why?  This seems like the path of least pain.  Haven't done it, yet,
> but am seriously considering it here.

The path of least pain is to have thought ahead and already had your users
converting to v4 string to key years before, but it's probably too late
for that:-)

Failing that, this is probably the path of least pain, but:
-you lose the ability to see when your users last *actually* changed their
password, thus subverting manual or automatic checks of such

-if it's poorly coded, (and you should make sure it's not) it ends up
changing their password every time they log in

-it only works if they use a client you control where you have the ability
to replace the login program; if they use something outside your control
first they're going to be confused (this is probably less an issue for bnl
than it would be to you in an academic environment, but I'm guessing)

-interacts "oddly" when you allow authentication-passing autologin, namely
if someone can log in on a machine not controlled by you and then
"springboard" to one of your systems without again typing a password. This
only really matters if you tell people they lose until they "log in" and
they potentially lose after logging in. This one is probably an outlier
and probably irrelevant to most if not everyone.