Support for Microsoft Set Password protocol

Alexandra Ellwood lxs at MIT.EDU
Wed Apr 2 12:06:11 EST 2003

>"Douglas E. Engert" <deengert at> writes:
>Why not add a flag on the krb5.conf for each realm indicating which protocol
>to use. The user wants the same change password appliation to work against
>multiple realms.

I prefer this approach.  The reason for this is that I think that the 
choice of which set password protocol clients should use is a site 
decision and not a developer decision.  Switching the protocol 
version(s) used should not require recompiling ksetpw/kpasswd.

My team ships Kerberos binaries to Apple which are then shipped with 
Mac OS X.  We need to be able to provide Apple with binaries which 
will work for all sites.  We cannot ask site administrators to 
recompile our sources, because the Kerberos binaries may be replaced 
by Apple's automatic software update mechanism.

If the API is the only way to set which protocol version(s) to use, 
we will be forced to provide binaries which default to trying the 
standard protocol and falling back to the Microsoft one because this 
is the only behavior that works everywhere.  Because sites may 
eventually want to change the behavior for their realms to avoid the 
downgrade attack, we will probably end up providing a way to 
configure the behavior per realm regardless of what is decided here.

I assume other vendors who ship Kerberos binaries have similar 
problems.  Rather than having every vendor pick their own way of 
configuring the behavior, I'd like to see us all using the same one.

Note that I'm not opposed to an API which modifies the behavior -- 
just to that being the only way to modify it.

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list