password policy to enforce difference passwords for different principal instances?

Tim Olsen tolsen at limelabs.com
Tue Oct 21 11:30:41 EDT 2008


At my company, we've setup IMAP and SMTP services to fallback to PLAIN
authentication using a different instance of the principal (over SSL of
course).  This way, users can use clients (such as the iPhone) that do
not support kerberos, but the kerberos password for their default
instance (which may grant them ssh access to certain machines) is not
cached on their client.  We are also considering doing something similar
for HTTP authentication (Negotiate falling back to Basic).

Is there any way to set up a password policy that would enforce that
different instances of a principal have different passwords?

Thanks,
Tim



More information about the Kerberos mailing list