[16386] in Kerberos_V5_Development
Re: Review of Projects/Kadmin hook interface
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Sep 27 15:58:07 2010
Date: Mon, 27 Sep 2010 14:57:40 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20100927195740.GM9501@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87hbhbug0b.fsf@windlord.stanford.edu>
Cc: lha@h5l.org, Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Sep 27, 2010 at 12:45:56PM -0700, Russ Allbery wrote:
> > Why not just do password change with randomized password, so that way
> > you have a password you can synchronize? This is basically what AD
> > does too.
>
> That of course is fine and for that you can just use the chpass
> interface. But that's not the operation performed by cpw -randkey. A
> [...]
I'm saying it's what it should do. I.e., the kadmin/kadm5 client should
be modified to randomize keys by doing a cpw with a randomized password.
You could also have a plugin that disallows set-key on principals whose
passwords you want to synchronize.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
