[110] in pc-kerberos
Re: Upcoming potential changes in KRBV4*.DLL
daemon@ATHENA.MIT.EDU (Paul B. Hill )
Wed Jul 26 16:09:09 1995
To: John Gardiner Myers <jgm+@CMU.EDU>
Cc: pc-kerberos@MIT.EDU
Date: Wed, 26 Jul 95 15:57:51
From: pbh@MIT.EDU (Paul B. Hill )
Reply-To: pc-kerberos@MIT.EDU
To: John Gardiner Myers <jgm+@CMU.EDU>
Cc: pc-kerberos@mit.edu
Subject: Re: Upcoming potential changes in KRBV4*.DLL
Date: Wed, 26 Jul 95 10:26:11
From: pbh (Paul B. Hill )
>I would, however, much prefer if the PC V4 libraries did *not*
>preserve state indicating which algorithm was last used for
>authentication. If a site is running a server for the MIT V4
>password-changing protocol (which takes additional software and effort
>to do in combination with a Transarc Kerberos server), the client
>should use the MIT V4 string-to-key algorithm. If the PC V4 libraries
>can use the Transarc password-changing protocol, I'd say the libraries
>have too much bloat.
Hi John,
Unfortunately CMU is in the minority in this area. Wally feels that if we
were to stick with Shabby's proposal CMU could deal with it. Many other
sites could not presently deal with only using the MIT string to key
algorithm when changing the password.
It seems to me that the following compromise would work best:
The new libraries will iterate over the s-to-k algorithms when
authenticating. Which s-to-k succeeded will be preserverd. By default the
libraries will use this information when changing the password. However,
there will be a resource that can be used to override this behavior. The
resource could be set to instruct the libraries to always use the MIT
string-to-key when changing the password.
This would mean that someone at CMU could use AppStudio or a similar tool to
modify the resource so that all users would be using the MIT s-to-k. But,
the libraries would continue to function at sites like UMich and Cornell.
Here are some of the problems that I see:
1) If a CMU user grabs a copy of the Kerberos DLL from MIT rather than from
your local software disrtibution system the resource would not be set the
way that you anticipate. This would become a user education problem for CMU.
2) What happens to CMU users that have a UMich principal and need to change
their password at UMich?
Paul
