Content-type: text/html; charset=US-ASCII
Content-transfer-encoding: quoted-printable
X-RT-Original-Encoding: iso-8859-1
Content-Length: 2439

<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Some information from Steven Simon:<div><br class="webkit-block-placeholder"></div><div><blockquote type="cite">This command is not in the last spec.<div><br class="webkit-block-placeholder"></div><div>The PasswordService daemon handles password replication and policies for us.</div><div>When a change comes in through Kerberos, we have the KDC notify the PasswordService</div><div>of the change.</div><div><br class="webkit-block-placeholder"></div><div>PasswordService's protocol is a hack of the POP3 protocol. It's text-based with command + args.</div><div>The protocol for this command is:</div><div><font class="Apple-style-span" face="Courier">AUTH KERBEROS-LOGIN-CHECK &lt;principal&gt; [? | + | - | !]</font></div><div><br class="webkit-block-placeholder"></div><div><div>?<span class="Apple-tab-span" style="white-space: pre; ">	</span>=<span class="Apple-tab-span" style="white-space: pre; ">	</span>get current status, returns a status code for the user's current state</div><div><span class="Apple-tab-span" style="white-space: pre; ">		</span>the values are in the patch (search for "// Reposonse Codes (used numerically)")</div><div>+<span class="Apple-tab-span" style="white-space: pre; ">	</span>=&nbsp;<span class="Apple-tab-span" style="white-space: pre; ">	</span>kinit success</div><div>-<span class="Apple-tab-span" style="white-space: pre; ">	</span>=<span class="Apple-tab-span" style="white-space: pre; ">	</span>bad password</div><div>!<span class="Apple-tab-span" style="white-space: pre; ">	</span>=<span class="Apple-tab-span" style="white-space: pre; ">	</span>password changed</div><div><br class="webkit-block-placeholder"></div><div>In past releases, we restricted access to "<span class="Apple-style-span" style="font-family: Courier; ">KERBEROS-LOGIN-CHECK"&nbsp;<span class="Apple-style-span" style="font-family: Helvetica; ">to localhost.</span></span></div><div><span class="Apple-style-span" style="font-family: Courier; "><span class="Apple-style-span" style="font-family: Helvetica; ">However, that approach proscribes shell accounts on the PasswordService system.</span></span></div><div>We've updated PasswordService to have a root-only named pipe for flexibility.</div><div><br class="webkit-block-placeholder"></div><div>- Steve</div></div></blockquote><div></div></div></body></html>