The history key
Nicolas Williams
Nicolas.Williams at sun.com
Thu Jan 14 00:25:14 EST 2010
On Wed, Jan 13, 2010 at 11:02:35PM -0500, Jeffrey Altman wrote:
> On 1/13/2010 6:51 PM, Tom Yu wrote:
> > Does anyone who is currently using the password policy support,
> > especially for regulatory or similar reasons, think it is a problem
> > for existing password history to be lost during such a migration
> > scenario?
>
> I would suggest two things:
>
> (a) a developer's list is really not the correct forum to ask
> such a question. a list read by managers would be more
> appropriate. since such a list doesn't exist, I think
> you would (if necessary) need to seek out and query users
> (or perhaps OS Vendor consultants) directly.
I agree. Fortunately OS vendor types do hang out here.
Do note that the password history loss is at the customer's choice in
the solution outlined by Greg, and that an old 1DES key will only be
encrypting old passwords. I think that's reasonable.
If you're point is that a tool could re-key the history, then I would
agree, and that'd be nice. I'm not sure what priority I'd give such a
tool, however.
Nico
--
More information about the krbdev
mailing list