password change protocol implementation

Nicolas Williams Nicolas.Williams at
Fri Feb 13 18:27:46 EST 2004

On Fri, Feb 13, 2004 at 05:43:50PM -0500, Ken Hornstein wrote:
> >   I'm wondering why you think people don't or won't be using
> >   krb5_{rd|mk}_{safe|priv}?  Or am I missing your point?
> Two reasons:
> - They're a pain in the butt to use from a programming perspective (speaking
>   from experience, believe me).  Sure, I understand why Sam doesn't
>   want the API to get worse; it's terrible as-is.  But it's much
>   simpler to use the raw encryption/checksum routines.

Frankly, I think we should avoid having any new protocols using raw
Kerberos V, at least for now.

The only new such protocol being considered at the IETF (besides
extensions itself) is the new change password / set keys protocol and
the only reason for using raw Kerberos there is to keep some backwards
compatibility going, but since we can't securely negotiate one version
or another of that protocol we might as well not have any wire compat
with earlier versions, and if we do I can't help but lean to using the
GSS-API then instead of raw Kerberos V.

After all, kadmin uses the GSS-API, so precedent for the use of the
GSS-API instead of raw Kerberos V for KDC-related services exists.


More information about the krbdev mailing list