Adding a krb5_get_change_password_message() function?

Greg Hudson ghudson at MIT.EDU
Wed Apr 25 12:23:36 EDT 2012

On 04/25/2012 07:43 AM, Stef Walter wrote:
> I was wondering if we want to add a krb5_get_change_password_message()
> which changes the result_string returned from krb5_change_password()
> into a displayable message explaining to the user more info about the
> password rejection and policy requirements?

I'm a little conflicted.  We don't do a lot of converting structured
data into strings in libkrb5, and when we have, it has often created
problems.  On the other hand, smoothing over interoperability issues is
a good role for libkrb5, and AD ought to be returning a UTF-8 string if
it followed RFC 3244.  (But on the third hand, a displayable string in
the protocol is a fundamentally non-localizable design.  And on the
fourth hand, it's not really possible to describe password change errors
in a structured fashion without making assumptions about the kind of
password checks involved, so localization can really only be done on the
server, which is usually poor design, although it's envisioned by

So, I'm not wild about the idea, but it seems reasonable enough, and I
don't have a better alternative.  If you implement this, please include
test cases (just a C program to feed some krb5_data values to the API
and verify the results) and choose a shorter name for the API, like
krb5_chpw_message() (similar to krb5_chpw_result_code_string()).

More information about the krbdev mailing list