Actually, I lied. I did create a new service/checkpw principal and gave it the pw change service flag and that's what I'm using to check the password. I should probably verify that ticket with a keytab.
On Thu, 2005-09-22 at 13:54 -0400, Tom Yu wrote: > >>>>> "digant" == Digant C Kasundra <[EMAIL PROTECTED]> writes: > > digant> Ah, that work. I tried to get a ticket for kadmin/changepw > digant> instead of a TGT for the realm. Thanks for the lead! > > Please remember that you need to verify the ticket you get, or else an > attacker could collude with an imposter KDC to log in. I would hope > that you do not have a key for verifying kadmin/changepw tickets on > your client machines, thus Mike's suggestion for a different principal > with that attribute set. > > ---Tom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos