password change protocol implementation

John Hascall john at
Fri Feb 13 17:53:27 EST 2004

> >   I'm wondering why you think people don't or won't be using
> >   krb5_{rd|mk}_{safe|priv}?  Or am I missing your point?

> Two reasons:

> - They're a pain in the butt to use from a programming perspective (speaking
>   from experience, believe me).  Sure, I understand why Sam doesn't
>   want the API to get worse; it's terrible as-is.  But it's much
>   simpler to use the raw encryption/checksum routines.

      They never seemed that hard to me, but perhaps I'm
      missing some subtlety.  Certainly it was a lot less
      trouble than figuring out how to use that GSS glarp.

      I mean what's so hard about krb5_rd_priv(ctx, actx, &in, &out, NULL);

> - If you use them today, your protocol won't work from behind a NAT (hence
>   the reason the stock MIT code doesn't support password changing from
>   behind a NAT).

      But NATs are evil and IPv6 will make them go away, right? (*pleads*)  :)


More information about the krbdev mailing list