[30383] in Kerberos
Re: password policy to enforce difference passwords for different
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Oct 27 18:42:24 2008
To: Tim Olsen <tolsen@limelabs.com>
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 27 Oct 2008 18:41:28 -0400
In-Reply-To: <QbWdnUUdqOI8aGDVnZ2dnUVZ_vadnZ2d@speakeasy.net> (Tim Olsen's
message of "Tue, 21 Oct 2008 11:30:41 -0400")
Message-ID: <ldvljw97jaf.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@MIT.EDU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@MIT.EDU
Tim Olsen <tolsen@limelabs.com> writes:
> At my company, we've setup IMAP and SMTP services to fallback to PLAIN
> authentication using a different instance of the principal (over SSL of
> course). This way, users can use clients (such as the iPhone) that do
> not support kerberos, but the kerberos password for their default
> instance (which may grant them ssh access to certain machines) is not
> cached on their client. We are also considering doing something similar
> for HTTP authentication (Negotiate falling back to Basic).
>
> Is there any way to set up a password policy that would enforce that
> different instances of a principal have different passwords?
The password policy support in MIT Kerberos is somewhat limited and
does not support this operation at the moment. It probably would not
be too difficult to add the functionality as a quick hack. If there
is interest in making a more general solution, I would like to hear
proposals about a plug-in interface or similar.
For future inclusion in MIT Kerberos source code, I would of course
prefer a general solution that would be useful to a wide range of
enterprises.
--
Tom Yu
Development Manager
MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
