[krbdev.mit.edu #1221] password history should use master key
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Dec 16 10:51:40 EST 2014
A user asked if the KDC could check preauth attempts against old keys
and avoid incrementing the failed authentication counter if they match:
http://mailman.mit.edu/pipermail/kerberos/2014-December/020409.html
I mention that here because (1) this issue would save the KDC from
having to keep around the history key in order to do this, and (2) we
would have to keep around the old keys, not a specific transform of the
old password, in order to do this.
More information about the krb5-bugs
mailing list