[2096] in Kerberos_V5_Development
Re: Handling password expiration gracefully
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Mon Dec 9 14:04:28 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Mon, 09 Dec 1996 12:12:00 EST."
<9612091712.AA02877@DUN-DUN-NOODLES.MIT.EDU>
Date: Mon, 09 Dec 1996 14:03:51 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>An implementation that uses the kadm5 api is clearly (to me) the right
>way to start, because that api already exists and is easy to use.
Well, it's just that right now our login process is slow enough as-is (what
with running aklog and all), and I don't want to add any additional overhead.
Too many "no overhead" additions end up having a lot of overhead. A preauth
that came back with the KDC request is really ideal, since it wouldn't
involve any extra network traffic (and it would still work if the admin
server is down). I'll probably end up doing that.
>This is what I would recommend. The KADM5 api is documented in
>doc/kadm5/api-funcspec.tex in the release.
That brings up another point I wanted to mention ... this is probably too
late for the 1.0 release, but could y'all include PostScript versions of
all of these papers? Not everyone has TeX installed, and even those of
us that do still have trouble formatting foreign TeX documents sometimes
(for example, the doc/kadm5/*-unix-test.tex files give me LaTeX errors that
I don't understand, but I've been able to format other stuff at our site).
--Ken
