Support for Microsoft Set Password protocol
Nicolas Williams
Nicolas.Williams at sun.com
Wed Apr 2 10:22:04 EST 2003
On Wed, Apr 02, 2003 at 05:13:23PM +0200, Love wrote:
> Why must the API depend on the protocol ?
I don't understand why it would. Even though the error message formats
may vary from one protocol version to another, the outer framing is the
same across all versions and does bear the protocol version number
(though it's in cleartext and not authenticated - MIT uses KRB-ERROR to
indicate version mismatch errors anyways, and KRB-ERROR is not
authenticated either) so it's always possible to negotiate protocol
versions, though a "downgrade" attack is feasible (for now the attack is
pointless).
Perhaps the API should optionally allow the application to select a
single protocol version to use to avoid the downgrade attack.
> Why should the application that sets a password know that type of kdc it
> talks to ?
It should not. It's conceivable for a non-MS KDC to support the MS
kpasswd protocol and it's conceivable for a non-Sun KDC to support
kadmin w/ RPCSEC_GSS.
Cheers,
Nico
--
More information about the krbdev
mailing list