password change protocol implementation

Nicolas Williams Nicolas.Williams at
Mon Feb 16 12:11:22 EST 2004

On Fri, Feb 13, 2004 at 06:41:31PM -0500, Ken Hornstein wrote:
> >After all, kadmin uses the GSS-API, so precedent for the use of the
> >GSS-API instead of raw Kerberos V for KDC-related services exists.
> You mean that wacky, non-standardized, completely non-interoperable-between-
> Kerberos-implementations protocol? :-)

No, I mean RPCSEC_GSS, which is standardized.  Yes, MIT's kadmin uses
AUTH_GSSAPI, which is not standardized, but hopefully MIT will change
this.  But, in any case, the point stands: we should use the GSS-API
instead of raw Kerberos V if we can, even for KDC services (the only
exception being pre-auth -- we've been down that road and we chose not
to stay on it).

> Actually, I don't necessarily disagree ... but sadly, we're stuck with the
> existing protocol in the short term, and I need to make the damn thing
> work.



More information about the krbdev mailing list