[OpenAFS] Deploying OpenAFS on a working server ?

[Russ Allbery]

Madhusudan Singh <singh.madhusudan@gmail.com> writes:

>> Second, as I understand it Kerberos (which OpenAFS uses) is a 'shared
>> secret' authentication mechanism, meaning kaserver (or whatever) needs
>> access to the unencrypted passwords: thus /etc/passwd would not provide
>> everything required. You would have to migrate users over.

> Hmm. This could raise some hackles, but I guess it cannot be helped.

> Second question - isn't storing passwords unencrypted a serious security
> weakness ? I speak as someone who does not know a whole lot about
> kerberos.

Passwords are not stored unencrypted, exactly.  They're stored hashed, but
unlike with /etc/passwd, you can use the hash as the password in certain
circumstances.  It *mostly* amounts to the same thing, but you have to be
a bit more sophisticated of an attacker than just reading the password
database and copying down the passwords.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>