[krbdev.mit.edu #5658] kdc notify pws
Austin Jennings via RT
rt-comment at krbdev.mit.edu
Thu Sep 6 19:06:08 EDT 2007
Some information from Steven Simon:
> This command is not in the last spec.
>
> The PasswordService daemon handles password replication and policies
> for us.
> When a change comes in through Kerberos, we have the KDC notify the
> PasswordService
> of the change.
>
> PasswordService's protocol is a hack of the POP3 protocol. It's text-
> based with command + args.
> The protocol for this command is:
> AUTH KERBEROS-LOGIN-CHECK <principal> [? | + | - | !]
>
> ? = get current status, returns a status code for the user's current
> state
> the values are in the patch (search for "// Reposonse Codes (used
> numerically)")
> + = kinit success
> - = bad password
> ! = password changed
>
> In past releases, we restricted access to "KERBEROS-LOGIN-CHECK" to
> localhost.
> However, that approach proscribes shell accounts on the
> PasswordService system.
> We've updated PasswordService to have a root-only named pipe for
> flexibility.
>
> - Steve
More information about the krb5-bugs
mailing list