[2103] in Kerberos_V5_Development
Re: Handling password expiration gracefully
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Tue Dec 10 01:35:32 1996
To: proven@cygnus.com
Cc: "Barry Jaspan" <bjaspan@MIT.EDU>, kenh@cmf.nrl.navy.mil, krbdev@MIT.EDU
From: Marc Horowitz <marc@cygnus.com>
Date: 10 Dec 1996 01:34:54 -0500
In-Reply-To: Christopher Provenzano's message of Tue, 10 Dec 1996 00:26:16 -0500
Christopher Provenzano <proven@proven.org> writes:
>> > An implementation that uses the kadm5 api is clearly (to me) the right
>> > way to start, because that api already exists and is easy to use.
>> > OV's login program did what you describe, with the following
>> > properties:
>> >
>> Maybe I'm missing something obvious, but doesn't this require login to talk
>> to the kadmind? Doesn't this defeat the purpose of having multiple slave kdcs?
That depends on what you think the purpose of multiple slaves is. I
think they're for reliability when the net flakes out. If this
happens, then you might not find out if your password is about to
expire; this is not the end of the world.
Certainly the preauth is a better solution long-term; I think Barry's
point is that querying the kadmind is less work, because it uses
existing interfaces. A preauth requires a protocol extension, which
requires more careful design.
Marc
