From: paul@uxc.cso.uiuc.edu (Paul Pomes - UofIllinois CSO)
Date: Mon, 3 Dec 90 22:44:51 GMT
Apparently-To: info-kerberos@ux1.cso.uiuc.edu

The Computing Services Office at the University of Illinois is investigating
whether to make the switch to Kerberos for user authentication.  I would
like to describe our environment and ask how people in similar circumstances
have handled it.

Unlike the Athena environment, CSO manages a collection of large multi-user
machines and not a horde of single-user workstations.  The CPUs of interest
are a Sequent Symmetry and Balance, Convex C-240, IBM RS6000/540, Pyramid
98x, and VAX 3500 (4.3 BSD).

We have also have a central registry of users that provides each person with
a unique alias (qi).  Linked to this alias is their preferred email address
and the other information found in the campus phone book.  Users can change
some of the information about themselves by providing a password.

My proposed plan is to first convert qi to Kerberos.  qi keeps passwords in
the clear and so it should fairly easy to move the alias/password information
into Kerberos.

Next the Kerberos r-commands would be installed on the mainframes in /usr/new
while we test the system and train users.  At some future time the vanilla
r-commands are copied to /usr/old as well as their Kerberos names in /usr/ucb.

Are their any fatal flaws to this plan?  How hard have other sites found it
to convert?  Is it worth doing so in the mainframe environment?

All advice and answers appreciated.

/pbp
--
         Paul Pomes

^X^C  rm -f /usr/local/bin/emacs; vi file  --  All the EMACS you need to know.

UUCP: {att,iuvax,uunet}!uiucuxc!paul   Internet, BITNET: paul@uxc.cso.uiuc.edu
US Mail:  UofIllinois, CSO, 1304 W Springfield Ave, Urbana, IL  61801-2910