On Sun, Jul 16, 2000 at 01:00:12PM -0700, Jason R Thorpe wrote:
> On Sun, Jul 16, 2000 at 12:02:00PM -0700, Paul Goyette wrote:
> 
>  > > In the Athena environment (the original user of Kerberos), Hesiod (i.e.
>  > > "dns" in nsswitch.conf) is used for the user/group database info,
>  > 
>  > So, shouldn't use of Kerberos for password changing depend on presence
>  > of DNS in the nsswitch.conf entry for password?  Currently, setting
>  > nsswitch.conf to "files" only still doesn't disable Kerberos attempts.
> 
> No.  I was only pointing out that Kerberos is separate from where the
> user information comes from.

Furthermore, Kerberos for passwords and NIS (YP) for everything else is
a somewhat common configuration.

Of course, this suffers the same problems as Kerberos plus DNS for the
user database information: an attacker can swap out the user's shell, or,
for example, put "::" or a known password into the pw->passwd field of
the user's passwd database record and bypass Kerberos or gain access the
user shouldn't have.  Fixing *that* properly requires DNSSEC for the Hesiod
records; most sites use various special-purpose hacks of dubious value,
or rsync out an actual password file using a secure transport.