Re: Password hashes in Debian Edu (and migrating from pre-Squeeze installations)
> I see the problem just in having redundant data in many databases
> scattered around the system. i don't really get, why this is better
> than not using kerberos at all and authenticating like in
> skole5/lenny against the ldap.
Kerberos provide two major advantages. The most important one is
single signon, which mean you can log in once and use the credentials
you get during login to log into web services or other services around
the net without having to provide username and password again.
The second most important one is how the password checking is done.
With simple LDAP bind, the password is sent over to the server for
checking. If we did not enforce the use of encrypted LDAP
connections, the password could be sent in clear text. With kerberos
the password is never sent to the server (the password is used to
encrypt the current time - if the server also know the password, it
can confirm that the correct password is used), thus making it safe to
try to log into any server - also those that are not to be trusted.
So we are definitely moving to Kerberos, it just take some time before
we kan reap all the advantages.
There is a reason why Windows uses Kerberos all over the place too. :)
It is a very good method to check passwords. :)