password change protocol implementation
John Hascall
john at iastate.edu
Fri Feb 13 17:53:27 EST 2004
> > I'm wondering why you think people don't or won't be using
> > krb5_{rd|mk}_{safe|priv}? Or am I missing your point?
> Two reasons:
> - They're a pain in the butt to use from a programming perspective (speaking
> from experience, believe me). Sure, I understand why Sam doesn't
> want the API to get worse; it's terrible as-is. But it's much
> simpler to use the raw encryption/checksum routines.
They never seemed that hard to me, but perhaps I'm
missing some subtlety. Certainly it was a lot less
trouble than figuring out how to use that GSS glarp.
I mean what's so hard about krb5_rd_priv(ctx, actx, &in, &out, NULL);
> - If you use them today, your protocol won't work from behind a NAT (hence
> the reason the stock MIT code doesn't support password changing from
> behind a NAT).
But NATs are evil and IPv6 will make them go away, right? (*pleads*) :)
John
More information about the krbdev
mailing list