Search Mailing List Archives
splitting authentication instances and changing passwords
eagle at windlord.stanford.edu
Wed Feb 4 10:41:16 PST 2009
John DeStefano <john.destefano at gmail.com> writes:
> We are thinking of splitting our Kerberos-backed, WebAuth-authenticated
> services into two, separate Kerberos accounts. Since the users' current
> Kerberos passwords are encrypted, the admins don't know what they are,
> and they cant be ported to another Kerberos instance (AFAIK). Thus,
> when a user first attempts to authenticate to the new services, their
> initial authentication attempts will fail. Ideally, these initial
> failures could redirect the users to a page authenticated by their
> current ("old") Kerberos password using WebAuth, which could prompt the
> users to change their passwords, and which would save the new passwords
> to the new service's new Kerberos accounts.
> I was wondering whether some application or set of scripts for doing
> this already exists -- not a directly WebAuth-related question, but I
> thought this as good a place to ask as any.
We thought about it on several occasions, but never ended up needing it
badly enough to the write the code. It's fairly trivial to modify
login.fcgi to do something else with a user's entered password at the time
of authentication, though. Our theory was that we'd just get our user
base the next time they authenticated to the WebLogin server and do
whatever manipulations that required their passwords then.
If you have Negotiate-Auth users, you have to do something separate with
them, of course, since you don't normally get their password.
I can't help with scripts, but I can validate your general direction. :)
And you could make it even more silent if you wanted.
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS UNIX Systems and Applications, Stanford University
More information about the webauth-info