...
- RFC 3244 Microsoft Windows 2000 Kerberos Password Change Protocol.
- UDP frontend on port 464 (KPASSWD).
- Default principal kadmin/changepw@REALM.tld.
- AP-REQ, KRB-PRIV, and PRIV-BODY.
- Request-Response protocol - 1 request, 1 response
- AP-REQ requires Authenticator with PRNG subsession key.
- usec and sequence present and same value as seq-number from Authenticator.
- New ASN.1 structure, ChangePasswdData SEQUENCE.
- ChangepwService, needs access to PrincipalStore
- Interceptor for policy checks.
- Eventually need configurable auto-generation of keytypes.
- 9 Error types, with UTF-8 optional/omitted result string.
Roadmap
Change Password 0.5 (chain update)
- split KdcConfig into KdcConfig and ChangepwConfig
- formatting updates
- refactor changepw-protocol to chain
- documentation of the steps in the chain
- documentation of configuration
- update MINA to 0.7.3
Change Password 0.5.1 (refactoring)
- refactor common code to protocol-common
- update MINA to 0.8
Change Password 0.6 (first stable release)
- first release as part of ApacheDS 0.9.3
Change Password 0.7 (unstable feature release)
- allow serving multiple realms
- allow admins to change passwords for users