afs to k5 conversion keytypes

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Feb 22 15:45:10 EST 2005


>krb5_change_password is not any worse to use than the init_creds API.
>You can avoid the kadm5 API.

Oh, sure ... but I'm not sure that's sufficient.  What you probably
want to do is query the database to see what enctypes your principal
record has (so you're not doing a whole lot of password changes) and
_that_ requires the kadm5 API.  I guess you could do a password change
for every login, but that sure would suck.  Assuming you support something
stronger than single-DES, you could get away with checking the enctype
of the TGT session key, and you could avoid the kadm5 API that way.

--Ken


More information about the Kerberos mailing list