password policy to enforce difference passwords for different principalinstances? - Kerberos

This is a discussion on password policy to enforce difference passwords for different principalinstances? - Kerberos ; At my company, we've setup IMAP and SMTP services to fallback to PLAIN authentication using a different instance of the principal (over SSL of course). This way, users can use clients (such as the iPhone) that do not support kerberos, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: password policy to enforce difference passwords for different principalinstances?

  1. password policy to enforce difference passwords for different principalinstances?

    At my company, we've setup IMAP and SMTP services to fallback to PLAIN
    authentication using a different instance of the principal (over SSL of
    course). This way, users can use clients (such as the iPhone) that do
    not support kerberos, but the kerberos password for their default
    instance (which may grant them ssh access to certain machines) is not
    cached on their client. We are also considering doing something similar
    for HTTP authentication (Negotiate falling back to Basic).

    Is there any way to set up a password policy that would enforce that
    different instances of a principal have different passwords?

    Thanks,
    Tim

  2. Re: password policy to enforce difference passwords for differentprincipal instances?

    Tim Olsen writes:

    > At my company, we've setup IMAP and SMTP services to fallback to PLAIN
    > authentication using a different instance of the principal (over SSL of
    > course). This way, users can use clients (such as the iPhone) that do
    > not support kerberos, but the kerberos password for their default
    > instance (which may grant them ssh access to certain machines) is not
    > cached on their client. We are also considering doing something similar
    > for HTTP authentication (Negotiate falling back to Basic).
    >
    > Is there any way to set up a password policy that would enforce that
    > different instances of a principal have different passwords?


    The password policy support in MIT Kerberos is somewhat limited and
    does not support this operation at the moment. It probably would not
    be too difficult to add the functionality as a quick hack. If there
    is interest in making a more general solution, I would like to hear
    proposals about a plug-in interface or similar.

    For future inclusion in MIT Kerberos source code, I would of course
    prefer a general solution that would be useful to a wide range of
    enterprises.

    --
    Tom Yu
    Development Manager
    MIT Kerberos Consortium

+ Reply to Thread