Decision on set-change password API

Sam Hartman hartmans at MIT.EDU
Fri Apr 11 14:52:51 EDT 2003

After reading the thread on set password, I've come to the conclusion
that I willcommit a krb5_set_password API rather than a
krb5_ms_set_password API or some other API that is protocol specific.

Since we only support one protocol at the current time, we will always
use that protocol.

With the exception of a small number of applications, the application
cares about the function of setting a password, not about the
particular protocol being used.

We will need a more expansive API to support all the options of the v2
protocol.  That API will require careful design.  Even once we have
that API, the krb5_set_password API will still exist and will try the
v2 protocol and then fall back to the Microsoft protocol.  If we have
not discovered a reasonable way to negotiate by that time, we will
need to provide some mechanism for administrators to configure the
desired protocol on a realm-by-realm basis.

Thanks for all your input; it was useful to explore all the options.


More information about the krbdev mailing list