Support for Microsoft Set Password protocol

Nicolas Williams Nicolas.Williams at
Wed Apr 2 16:27:55 EST 2003

On Wed, Apr 02, 2003 at 03:36:00PM -0500, Ken Hornstein wrote:
> >   I'm with Love (I think it was he) here, this is not something
> >   I want in client config files.  Having it in the KDC config
> >   file would be fine with the method negotiated over the wire
> >   subject to any KDC config constraint(s).
> I agree, this would be the ideal way.  I'm just not sure right now
> how you would negotiate it (is it possible?).  But if you've got a config
> file out there already, I can't see the harm in putting that info
> in there.

Provided that the existing two versions of the protocol (v1 and the MS
kpasswd protocol) and the new protocol (v2) all use the same framing
(they do) if they use the same ports (they do) and that all existing
implementations respond to requests from clients using major protocol
versions other than the servers' (I'm not sure) then negotiation can be
done, though as I've said earlier, not securely.

Also, v2 will be extensible and will provide for minor version
negotiation.  Hopefully no further major versions will be needed.



More information about the krbdev mailing list