The history key
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Jan 13 23:02:35 EST 2010
On 1/13/2010 6:51 PM, Tom Yu wrote:
> ghudson at MIT.EDU writes:
>
>> 2. For 1.8, we will make sure it is possible to change the history key
>> (with cpw -randkey) and still have password changes work, although old
>> password history will effectively be lost if you do this. (This just
>> means ignoring integrity error codes from krb5_dbekd_decrypt_key_data
>> in check_pw_reuse, I think.)
>
> Does anyone who is currently using the password policy support,
> especially for regulatory or similar reasons, think it is a problem
> for existing password history to be lost during such a migration
> scenario?
I would suggest two things:
(a) a developer's list is really not the correct forum to ask
such a question. a list read by managers would be more
appropriate. since such a list doesn't exist, I think
you would (if necessary) need to seek out and query users
(or perhaps OS Vendor consultants) directly.
(b) even if there are sites for which loss of the history would
not be a problem, there are certainly sites for which it
will be.
Jeffrey Altman
More information about the krbdev
mailing list