password policy to enforce difference passwords for different principal instances?
Tom Yu
tlyu at MIT.EDU
Mon Oct 27 18:41:28 EDT 2008
Tim Olsen <tolsen at limelabs.com> writes:
> At my company, we've setup IMAP and SMTP services to fallback to PLAIN
> authentication using a different instance of the principal (over SSL of
> course). This way, users can use clients (such as the iPhone) that do
> not support kerberos, but the kerberos password for their default
> instance (which may grant them ssh access to certain machines) is not
> cached on their client. We are also considering doing something similar
> for HTTP authentication (Negotiate falling back to Basic).
>
> Is there any way to set up a password policy that would enforce that
> different instances of a principal have different passwords?
The password policy support in MIT Kerberos is somewhat limited and
does not support this operation at the moment. It probably would not
be too difficult to add the functionality as a quick hack. If there
is interest in making a more general solution, I would like to hear
proposals about a plug-in interface or similar.
For future inclusion in MIT Kerberos source code, I would of course
prefer a general solution that would be useful to a wide range of
enterprises.
--
Tom Yu
Development Manager
MIT Kerberos Consortium
More information about the Kerberos
mailing list