On Aug 17, 2006, at 12:38, Fariba wrote: > Could you elaborate on that? > Ken Raeburn wrote: >> You'd need some sort of administrator access, either through the >> kadmin protocol, or the set/change password protocol being worked on >> in the IETF.
An administrator could change the password with kadmin's "cpw" command. This is roughly the use case I had in mind: At a school, a registrar creates accounts (including Kerberos principals) for use by the students in a class, with names constructed like <class identifier><sequence number>, e.g., c101_12, with random keys (or, if we allowed it, with no keys). The realm is shared across a bunch of classes. The instructors for the class are given the ability to change passwords for accounts, but not to create new accounts. After the first class, each student meets with the instructor or teaching assistants, gets assigned an account id, and picks a password which is set on the principal then and there by the instructor. Probably not the most convenient way of doing it, compared to, say, having the registrar assign initial passwords and require that the passwords be changed immediately, but it would work. Another no-password case would be PKINIT; if the initial tickets are always acquired via PKINIT, there's no need for a password. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
