Kerb v4 for MacOS X
goHCI at cmu.edu
Fri Jan 25 16:59:01 EST 2002
>> 1) Is it possible to add the "Change Password" directly in
>> the Kerberos menu/icon? (both the classic and carbon versions)
> Probably not. How often do you need to use that?
Currently, we're using this pretty often. CMU is upgrading lots
of servers to Kerb5 from Kerb4. Users who hadn't updated their
password (via changing their password) recently would not be able
to access new kerb5 services (as their password entry contained
just an old kerb4 entry). Anyhow, the technical reasons are a
bit past me. :) I could ask one of our systems developers to
explain if you're curious.
We also have started running "password crackers" against our
/etc/passwd to check for easy-to-guess/crack passwords. And
we encourage users to change passwords if guessed.
>> 2) I wonder if there can't be some icon on OS X when Kerberos
>> for Mac is running?
> What do you mean by "Kerberos is running"?
So let me re-phrase :) : We like people to easily know if they
have current tickets or not. The KfM for classic always shows
by default whether the user has current tickets (via the menu
If there's documentation somewhere on how I can configure the
installer to place & "run" Kerberos by default on an install,
that would rock! So hence, by "run", I mean is an active program
on OS X (with that silly triangle under the icon in the Dock).
I could be mistaken, but if you open the Kerberos application,
you can choose "Keep in Dock", but when the Application is not
open, active, and running, the icon will show a YELLOW key whether
there are active tickets or not.
2 new requests from our other Mac expert (who also said you guys
rock and did a great job with Kerberos for Mac) - we're just
full of praise:
3) Kerberos for Mac generates a "Service Expired" message if the
Time is out of bounds / off synch. Users get confused by this: Could
the error message be changed to something with the word "time" in
it; even Time Out of Bounds is fine.
Sure, it would be great if Kerberos could tie into the System Prefs
and either let the user update the time immediately or take them to
the Date & Time prefs. But that's asking a lot.
4) If someone deletes their Kerberos Preferences, they lose their
ANDREW.CMU.EDU or CS.CMU.EDU realm and Kerberos reverts to an MIT.EDU
server. Is this possible to customize, so CMU's distribution has
the default set to ANDREW.CMU.EDU ? :)
Once again thank you!
Have a great weekend,
Carnegie Mellon University
More information about the krbdev