Support for Microsoft Set Password protocol
Nicolas.Williams at sun.com
Tue Apr 1 17:28:05 EST 2003
On Tue, Apr 01, 2003 at 04:38:43PM -0500, Sam Hartman wrote:
> Paul Nelson has contributed code to implement the client side of the
> Microsoft set password protocol. We're going to accept this code for
> 1.3; I have audited the code and am working on making a few changes
> and integrating it now.
> I do need to resolve one API question. Paul proposes introducing a
> krb5_set_password API that works much like the old
> krb5_change_password API.
> How will this interact with eventual support for Nico's set-change
> password draft (it doesn't seem to exist in the ID repository yet).
I'll finish the draft in the next few weeks. It's almost done - I just
need to find the time to finish it off.
> Do we plan to try the IETF standard and if that fails fall back to the
> Microsoft spec, or do we plan to require application authors to
> specify what version they want? Do we have a requirement to offer
> applications an option to force use of the Microsoft protocol?
The protocol can be negotiated, but not safely[*]. Therefore the
protocol versions that a client is willing to negotiate should be
[*] Previous versions and/or implementations of the protocol have the
server return an KRB-ERROR, rather than an AP-REP and a KRB-PRIV
with an error, when the server does not support a client's requested
protocol version number.
> If we plan to use the IETF spec and fallback, then I think Paul's API
> proposal is fine.
Has the API been proposed on one of these lists?
More information about the krbdev