I don't know if this is sufficient for AFS (don't run it), but this is how we got around the transition to Kerberos without users having to create new passwords. We modified login.c such that, when the password they just typed in didn't work as a Kerberos key but did pass the old crypt() test against the one in their password file entry, the program then did a "kpasswd" to that password. (Just cribbed the kpasswd code into login.c and hardwired an old password into the program.) All kerberos principals were created with the same "old password" that was hardwired into login.c. The most obvious security hole this creates is having the "old password" in the login executable, but if you avoid making it a string (ie. p[0] = 'x'; p[1] = 'y';... instead of "xy" in the code) and don't set any world 'r' on the login executable, I don't think this is a big problem. (You probably only wan to run this login for a few weeks and then take the one way encrypted passwords out of the NIS database, since they are a big security risk for crackers.) Good luck with it, rick
