The history key

Jeffrey Altman jaltman at
Wed Jan 13 23:02:35 EST 2010

On 1/13/2010 6:51 PM, Tom Yu wrote:
> ghudson at MIT.EDU writes:
>> 2. For 1.8, we will make sure it is possible to change the history key
>> (with cpw -randkey) and still have password changes work, although old
>> password history will effectively be lost if you do this.  (This just
>> means ignoring integrity error codes from krb5_dbekd_decrypt_key_data
>> in check_pw_reuse, I think.)
> Does anyone who is currently using the password policy support,
> especially for regulatory or similar reasons, think it is a problem
> for existing password history to be lost during such a migration
> scenario?

I would suggest two things:

(a) a developer's list is really not the correct forum to ask
    such a question.  a list read by managers would be more
    appropriate.  since such a list doesn't exist, I think
    you would (if necessary) need to seek out and query users
    (or perhaps OS Vendor consultants) directly.

(b) even if there are sites for which loss of the history would
    not be a problem, there are certainly sites for which it
    will be.

Jeffrey Altman

More information about the krbdev mailing list