This command is not in the last spec.

The PasswordService daemon handles password replication and policies for us.

When a change comes in through Kerberos, we have the KDC notify the PasswordService

of the change.

PasswordService's protocol is a hack of the POP3 protocol. It's text-based with command + args.

The protocol for this command is:

AUTH KERBEROS-LOGIN-CHECK <principal> [? | + | - | !]

? = get current status, returns a status code for the user's current state

the values are in the patch (search for "// Reposonse Codes (used numerically)")

+ =  kinit success

- = bad password

! = password changed

In past releases, we restricted access to "KERBEROS-LOGIN-CHECK" to localhost.

However, that approach proscribes shell accounts on the PasswordService system.

We've updated PasswordService to have a root-only named pipe for flexibility.

- Steve