Support for Microsoft Set Password protocol

Nicolas Williams Nicolas.Williams at
Wed Apr 2 10:22:04 EST 2003

On Wed, Apr 02, 2003 at 05:13:23PM +0200, Love wrote:
> Why must the API depend on the protocol ?

I don't understand why it would.  Even though the error message formats
may vary from one protocol version to another, the outer framing is the
same across all versions and does bear the protocol version number
(though it's in cleartext and not authenticated - MIT uses KRB-ERROR to
indicate version mismatch errors anyways, and KRB-ERROR is not
authenticated either) so it's always possible to negotiate protocol
versions, though a "downgrade" attack is feasible (for now the attack is

Perhaps the API should optionally allow the application to select a
single protocol version to use to avoid the downgrade attack.

> Why should the application that sets a password know that type of kdc it
> talks to ?

It should not.  It's conceivable for a non-MS KDC to support the MS
kpasswd protocol and it's conceivable for a non-Sun KDC to support
kadmin w/ RPCSEC_GSS.



More information about the krbdev mailing list