password change protocol implementation
Nicolas Williams
Nicolas.Williams at sun.com
Mon Feb 16 12:11:22 EST 2004
On Fri, Feb 13, 2004 at 06:41:31PM -0500, Ken Hornstein wrote:
> >After all, kadmin uses the GSS-API, so precedent for the use of the
> >GSS-API instead of raw Kerberos V for KDC-related services exists.
>
> You mean that wacky, non-standardized, completely non-interoperable-between-
> Kerberos-implementations protocol? :-)
No, I mean RPCSEC_GSS, which is standardized. Yes, MIT's kadmin uses
AUTH_GSSAPI, which is not standardized, but hopefully MIT will change
this. But, in any case, the point stands: we should use the GSS-API
instead of raw Kerberos V if we can, even for KDC services (the only
exception being pre-auth -- we've been down that road and we chose not
to stay on it).
> Actually, I don't necessarily disagree ... but sadly, we're stuck with the
> existing protocol in the short term, and I need to make the damn thing
> work.
Sure.
Nico
--
More information about the krbdev
mailing list