Support for Microsoft Set Password protocol
Alexandra Ellwood
lxs at MIT.EDU
Wed Apr 2 12:06:11 EST 2003
>"Douglas E. Engert" <deengert at anl.gov> writes:
>
>Why not add a flag on the krb5.conf for each realm indicating which protocol
>to use. The user wants the same change password appliation to work against
>multiple realms.
I prefer this approach. The reason for this is that I think that the
choice of which set password protocol clients should use is a site
decision and not a developer decision. Switching the protocol
version(s) used should not require recompiling ksetpw/kpasswd.
My team ships Kerberos binaries to Apple which are then shipped with
Mac OS X. We need to be able to provide Apple with binaries which
will work for all sites. We cannot ask site administrators to
recompile our sources, because the Kerberos binaries may be replaced
by Apple's automatic software update mechanism.
If the API is the only way to set which protocol version(s) to use,
we will be forced to provide binaries which default to trying the
standard protocol and falling back to the Microsoft one because this
is the only behavior that works everywhere. Because sites may
eventually want to change the behavior for their realms to avoid the
downgrade attack, we will probably end up providing a way to
configure the behavior per realm regardless of what is decided here.
I assume other vendors who ship Kerberos binaries have similar
problems. Rather than having every vendor pick their own way of
configuring the behavior, I'd like to see us all using the same one.
Note that I'm not opposed to an API which modifies the behavior --
just to that being the only way to modify it.
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list