[106] in pc-kerberos
Re: Upcoming potential changes in KRBV4*.DLL
daemon@ATHENA.MIT.EDU (John Gardiner Myers)
Tue Jul 25 16:05:15 1995
Date: Tue, 25 Jul 1995 15:56:38 -0400 (EDT)
From: John Gardiner Myers <jgm+@CMU.EDU>
To: pc-kerberos@MIT.EDU
In-Reply-To: <199507251508.LAA04021@stargazer.mit.edu>
Chris Shabsin <shabby@MIT.EDU> writes:
> o The DES library will be changed to iterate over the MIT and Transarc
> style string_to_key algorithms in such a way to allow the libraries
> to be used by sites using either an MIT- or Transarc-style realm
> without recompilation. The library will preserve the state
> information indicating which algorithm was last successfully used
> for authentication, thereby even allowing the library to be used to
> change the user's password in various realm types.
At CMU, we have a Transarc Kerberos server, however we are in the
process of transitioning from the Transarc string-to-key to the MIT
string-to-key.
All of our initial-ticket-obtaining software either tries both
string-to-key algorithms, or only tries the MIT string-to-key
algorithm. All of our password-changing software uses the MIT
string-to-key algorithm for the new password.
I don't care much either way whether or not the libraries try both
string-to-key algorithms, we're willing to tell those users who
haven't changed their passwords since January '95 that they have to
change their password on a unix box before they can log into a PC.
I would, however, much prefer if the PC V4 libraries did *not*
preserve state indicating which algorithm was last used for
authentication. If a site is running a server for the MIT V4
password-changing protocol (which takes additional software and effort
to do in combination with a Transarc Kerberos server), the client
should use the MIT V4 string-to-key algorithm. If the PC V4 libraries
can use the Transarc password-changing protocol, I'd say the libraries
have too much bloat.
--
_.John G. Myers Internet: jgm+@CMU.EDU
LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
