Should we be implementing version 2 of the set/change password protocol?

Ezra Peisach epeisach at MIT.EDU
Wed Jan 22 18:06:01 EST 2003

The discussion about kpasswd made me realize that our tree still
supports version one of the kerberos change password protocol. 
(For reference purposes, the doc/kadmin directory contains notes
on the different protocols currently existing in the tree).

Our tree's code is based on the 1998
draft-ietf-cat-kerb-chg-password-02.txt (as is Heimdal 0.5). 
krb5_change_password only knows from this code.

Meanwhile, newer drafts have been developed and version 2 of the
protocol has been kicking around for a
while. <draft-ietf-cat-kerberos-set-passwd-06.txt>

The major added complexity is that TCP SHOULD be accepted. We would need
to handle a server returning the wrong version number and retrying with
a different protocol - new encoders, etc.

How important is it that this gets done?

If nothing else, maybe a bug report filed that we should consider future


More information about the krbdev mailing list