>To my knowledge there is no way to convert keys like you're wanting to do. >My suggestion, if it's possible in your environment, would be to implement >a password expiration policy with a deadline of a few months and let >everyone gradually change their password.
Thewre is one way ... but it requires you to have your Kerberos Shit Together. Write a custom login program that once you login correctly using an AFS salted key, generates a V5 salted key from that plaintext password and stores it somewhere. "Somewhere" could be in a V5 database (e.g., you can simply force a password change). This means not only would you have to know how to program the poorly-documented Kerberos API, but you would have to figure out how to program the even-more-poorly-documented kadm5 API. I have seen other variations on this, but it's all basically, "Get the user to enter in a plaintext password to some login-like program, validate it, and then generate a V5 key from it". Sadly, the intersection of people who have their Kerberos Shit Together and people who actually _need_ this functionality is currently the null set. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos