Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-transfer-encoding: 7BIT
X-RT-Original-Encoding: iso-8859-1
Content-Length: 969

Some information from Steven Simon:

> This command is not in the last spec.
>
> The PasswordService daemon handles password replication and policies  
> for us.
> When a change comes in through Kerberos, we have the KDC notify the  
> PasswordService
> of the change.
>
> PasswordService's protocol is a hack of the POP3 protocol. It's text- 
> based with command + args.
> The protocol for this command is:
> AUTH KERBEROS-LOGIN-CHECK <principal> [? | + | - | !]
>
> ?	=	get current status, returns a status code for the user's current  
> state
> 		the values are in the patch (search for "// Reposonse Codes (used  
> numerically)")
> +	= 	kinit success
> -	=	bad password
> !	=	password changed
>
> In past releases, we restricted access to "KERBEROS-LOGIN-CHECK" to  
> localhost.
> However, that approach proscribes shell accounts on the  
> PasswordService system.
> We've updated PasswordService to have a root-only named pipe for  
> flexibility.
>
> - Steve