[1243] in Kerberos_V5_Development
Re: kadm5_init, acquiring initial credentials
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue May 28 19:33:19 1996
Date: Tue, 28 May 1996 19:29:30 -0400
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU, jik@cam.ov.com
In-Reply-To: <9605282144.AA21467@beeblebrox.MIT.EDU>
From: "Richard Basch" <basch@lehman.com>
I believe it should use a changepw or some other credentials, and that
credential can have a policy that it always requires a password (a flag
in the KDC). Besides, the existing kadmin5 works like that. If you
specify a credentials cache file, it does use the existing credentials.
I have in the past used that to do batches of changes. By default, the
credentials should require a password and not easily be obtainable via
a TGS_REQ. And, by default, if it does not store the credentials, you
get that effect. However, it should not be enforced at the API layer.
Currently, that is the case, too...
--
Richard Basch
Sr. Developer/Analyst, DSO URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 38th Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
