Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
RT-Send-CC:
X-RT-Original-Encoding: iso-8859-1
Content-Length: 459

A user asked if the KDC could check preauth attempts against old keys 
and avoid incrementing the failed authentication counter if they match:

http://mailman.mit.edu/pipermail/kerberos/2014-December/020409.html

I mention that here because (1) this issue would save the KDC from 
having to keep around the history key in order to do this, and (2) we 
would have to keep around the old keys, not a specific transform of the 
old password, in order to do this.