[864] in Kerberos_V5_Development
Re: Proposed Kerberos V5 Password Changing Algorithm
daemon@ATHENA.MIT.EDU (Rich Salz)
Fri Feb 24 10:31:19 1995
From: Rich Salz <rsalz@osf.org>
Date: Fri, 24 Feb 95 10:26:42 -0500
To: marc@MIT.EDU
Cc: krbdev@MIT.EDU
>> There's a reason why the change password command includes the old
>> password, even though you've already authenticated to the password
>> changing daemon.
> Why's that?
A couple of reasons. First, it lets the server do some useful things
(e.g., make sure you're not changing your password to the same thing)
without requiring it to store your previous password. (Of course,
servers that keep full password histories can do more useful things).
Second, it lets the server act as a gateway out to other security domains
(e.g., the password change server could also change your NIS password,
etc).
/r$
