Support for Microsoft Set Password protocol

Nicolas Williams Nicolas.Williams at
Tue Apr 1 17:28:05 EST 2003

On Tue, Apr 01, 2003 at 04:38:43PM -0500, Sam Hartman wrote:
> Paul Nelson has contributed code to implement the client side of the
> Microsoft set password protocol.  We're going to accept this code for
> 1.3; I have audited the code and am working on making a few changes
> and integrating it now.
> I do need to resolve one API question.  Paul proposes introducing a
> krb5_set_password API that works much like the old
> krb5_change_password API.
> How will this interact with eventual support for Nico's set-change
> password draft (it doesn't seem to exist in the ID repository yet).

I'll finish the draft in the next few weeks.  It's almost done - I just
need to find the time to finish it off.

> Do we plan to try the IETF standard and if that fails fall back to the
> Microsoft spec, or do we plan to require application authors to
> specify what version they want?  Do we have a requirement to offer
> applications an option to force use of the Microsoft protocol?

The protocol can be negotiated, but not safely[*].  Therefore the
protocol versions that a client is willing to negotiate should be

[*] Previous versions and/or implementations of the protocol have the
    server return an KRB-ERROR, rather than an AP-REP and a KRB-PRIV
    with an error, when the server does not support a client's requested
    protocol version number.

> If we plan to use the IETF spec and fallback, then I think Paul's API
> proposal is fine.

Has the API been proposed on one of these lists?



More information about the krbdev mailing list