summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt325
1 files changed, 325 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt b/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
new file mode 100644
index 00000000000..6f7dae0dea7
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-set-passwd-02.txt
@@ -0,0 +1,325 @@
+
+INTERNET-DRAFT Mike Swift
+draft-ietf-cat-kerberos-set-passwd-02.txt Microsoft
+March 2000 Jonathan Trostle
+ Cisco Systems
+ John Brezak
+ Microsoft
+ Bill Gossman
+ Cybersafe
+
+ Kerberos Set/Change Password: Version 2
+
+
+0. Status Of This Memo
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC2026 [1].
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as
+ Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six
+ months and may be updated, replaced, or obsoleted by other
+ documents at any time. It is inappropriate to use Internet-
+ Drafts as reference material or to cite them other than as
+ "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ Comments and suggestions on this document are encouraged. Comments
+ on this document should be sent to the CAT working group discussion
+ list:
+ ietf-cat-wg@stanford.edu
+
+1. Abstract
+
+ The Kerberos (RFC 1510 [3]) change password protocol (Horowitz [4]),
+ does not allow for an administrator to set a password for a new user.
+ This functionality is useful in some environments, and this proposal
+ extends [4] to allow password setting. The changes are: adding new
+ fields to the request message to indicate the principal which is
+ having its password set, not requiring the initial flag in the service
+ ticket, using a new protocol version number, and adding three new
+ result codes. We also extend the set/change protocol to allow a
+ client to send a sequence of keys to the KDC instead of a cleartext
+ password. If in the cleartext password case, the cleartext password
+ fails to satisfy password policy, the server should use the result
+ code KRB5_KPASSWD_POLICY_REJECT.
+
+2. Conventions used in this document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
+ this document are to be interpreted as described in RFC-2119 [2].
+
+3. The Protocol
+
+ The service must accept requests on UDP port 464 and TCP port 464 as
+ well. The protocol consists of a single request message followed by
+ a single reply message. For UDP transport, each message must be fully
+ contained in a single UDP packet.
+
+ For TCP transport, there is a 4 octet header in network byte order
+ precedes the message and specifies the length of the message. This
+ requirement is consistent with the TCP transport header in 1510bis.
+
+Request Message
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | message length | protocol version number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | AP_REQ length | AP-REQ data /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / KRB-PRIV message /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ All 16 bit fields are in network byte order.
+
+ message length field: contains the number of bytes in the message
+ including this field.
+
+ protocol version number: contains the hex constant 0x0002 (network
+ byte order).
+
+ AP-REQ length: length of AP-REQ data, in bytes. If the length is zero,
+ then the last field contains a KRB-ERROR message instead of a KRB-PRIV
+ message.
+
+ AP-REQ data: (see [3]) The AP-REQ message must be for the service
+ principal kadmin/changepw@REALM, where REALM is the REALM of the user
+ who wishes to change/set his password. The ticket in the AP-REQ must
+ must include a subkey in the Authenticator. To enable setting of
+ passwords/keys, it is not required that the initial flag be set in the
+ Kerberos service ticket. The initial flag is required for change requests,
+ but not for set password requests. We have the following definitions:
+
+ old passwd initial flag target principal can be
+ in request? required? distinct from
+ authenticating principal?
+
+ change password: yes yes no
+
+ set password: no no yes
+
+ set key: no policy yes
+ determined
+
+ KRB-PRIV message (see [3]) This KRB-PRIV message must be generated
+ using the subkey from the authenticator in the AP-REQ data.
+
+ The user-data component of the message consists of the following ASN.1
+ structure encoded as an OCTET STRING:
+
+ ChangePasswdData :: = SEQUENCE {
+ newpasswdorkeys[0] NewPasswdOrKeys,
+ targname[1] PrincipalName OPTIONAL,
+ -- only present in set password: the principal
+ -- which will have its password set
+ targrealm[2] Realm OPTIONAL,
+ -- only present in set password: the realm for
+ -- the principal which will have its password set
+
+ }
+
+ NewPasswdOrKeys :: = CHOICE {
+ passwords[0] PasswordSequence,
+ keyseq[1] KeySequences
+ }
+
+ KeySequences :: = SEQUENCE OF KeySequence
+
+ KeySequence :: = SEQUENCE {
+ key[0] EncryptionKey,
+ salt[1] OCTET STRING OPTIONAL,
+ salt-type[2] INTEGER OPTIONAL
+ }
+
+ PasswordSequence :: = SEQUENCE {
+ newpasswd[0] OCTET STRING,
+ oldpasswd[1] OCTET STRING OPTIONAL
+ -- oldpasswd always present for change password
+ -- but not present for set password
+ }
+
+ The server must verify the AP-REQ message, check whether the client
+ principal in the ticket is authorized to set or change the password
+ (either for that principal, or for the principal in the targname
+ field if present), and decrypt the new password/keys. The server
+ also checks whether the initial flag is required for this request,
+ replying with status 0x0007 if it is not set and should be. An
+ authorization failure is cause to respond with status 0x0005. For
+ forward compatibility, the server should be prepared to ignore fields
+ after targrealm in the structure that it does not understand.
+
+ The newpasswdorkeys field contains either the new cleartext password
+ (with the old cleartext password for a change password operation),
+ or a sequence of encryption keys with their respective salts.
+
+ In the cleartext password case, if the old password is sent in the
+ request, the request is defined to be a change password request. If
+ the old password is not present in the request, the request is a set
+ password request. The server should apply policy checks to the old
+ and new password after verifying that the old password is valid.
+ The server can check validity by obtaining a key from the old
+ password with a keytype that is present in the KDC database for the
+ user and comparing the keys for equality. The server then generates
+ the appropriate keytypes from the password and stores them in the KDC
+
+ database. If all goes well, status 0x0000 is returned to the client
+ in the reply message (see below). For a change password operation,
+ the initial flag in the service ticket MUST be set.
+
+ In the key sequence case, the sequence of keys is sent to the set
+ password service. For a principal that can act as a server, its
+ preferred keytype should be sent as the first key in the sequence,
+ but the KDC is not required to honor this preference. Application
+ servers should use the key sequence option for changing/setting their
+ keys. The set password service should check that all keys are in the
+ proper format, returning the KRB5_KPASSWD_MALFORMED error otherwise.
+
+Reply Message
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | message length | protocol version number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | AP_REP length | AP-REP data /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / KRB-PRIV message /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+ All 16 bit fields are in network byte order.
+
+ message length field: contains the number of bytes in the message
+ including this field.
+
+ protocol version number: contains the hex constant 0x0002 (network
+ byte order). (The reply message has the same format as in [4]).
+
+ AP-REP length: length of AP-REP data, in bytes. If the length is zero,
+ then the last field contains a KRB-ERROR message instead of a KRB-PRIV
+ message.
+
+ AP-REP data: the AP-REP is the response to the AP-REQ in the request
+ packet.
+
+ KRB-PRIV from [4]: This KRB-PRIV message must be generated using the
+ subkey in the authenticator in the AP-REQ data.
+
+ The server will respond with a KRB-PRIV message unless it cannot
+ validate the client AP-REQ or KRB-PRIV message, in which case it will
+ respond with a KRB-ERROR message. NOTE: Unlike change password version
+ 1, the KRB-ERROR message will be sent back without any encapsulation.
+
+ The user-data component of the KRB-PRIV message, or e-data component
+ of the KRB-ERROR message, must consist of the following data.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | result code | result string /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | edata /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ result code (16 bits) (result codes 0-4 are from [4]):
+ The result code must have one of the following values (network
+ byte order):
+ KRB5_KPASSWD_SUCCESS 0 request succeeds (This value is not
+ allowed in a KRB-ERROR message)
+ KRB5_KPASSWD_MALFORMED 1 request fails due to being malformed
+ KRB5_KPASSWD_HARDERROR 2 request fails due to "hard" error in
+ processing the request (for example,
+ there is a resource or other problem
+ causing the request to fail)
+ KRB5_KPASSWD_AUTHERROR 3 request fails due to an error in
+ authentication processing
+ KRB5_KPASSWD_SOFTERROR 4 request fails due to a soft error
+ in processing the request
+ KRB5_KPASSWD_ACCESSDENIED 5 requestor not authorized
+ KRB5_KPASSWD_BAD_VERSION 6 protocol version unsupported
+ KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 initial flag required
+ KRB5_KPASSWD_POLICY_REJECT 8 new cleartext password fails policy;
+ the result string should include a text message to be presented
+ to the user.
+ KRB5_KPASSWD_BAD_PRINCIPAL 9 target principal does not exist
+ (only in response to a set password request).
+ KRB5_KPASSWD_ETYPE_NOSUPP 10 the request contains a key sequence
+ containing at least one etype that is not supported by the KDC.
+ The response edata contains an ASN.1 encoded PKERB-ETYPE-INFO
+ type that specifies the etypes that the KDC supports:
+
+ KERB-ETYPE-INFO-ENTRY :: = SEQUENCE {
+ encryption-type[0] INTEGER,
+ salt[1] OCTET STRING OPTIONAL -- not sent
+ }
+
+ PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY
+
+ The client should retry the request using only etypes (keytypes)
+ that are contained within the PKERB-ETYPE-INFO structure in the
+ previous response.
+ 0xFFFF if the request fails for some other reason.
+ The client must interpret any non-zero result code as a failure.
+ result string - from [4]:
+ This field is a UTF-8 encoded string which should be displayed
+ to the user by the client. Specific reasons for a password
+ set/change policy failure is one use for this string.
+ edata: used to convey additional information as defined by the
+ result code.
+
+4. References
+
+ [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
+ 9, RFC 2026, October 1996.
+
+ [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997
+
+ [3] J. Kohl, C. Neuman. The Kerberos Network Authentication
+ Service (V5), Request for Comments 1510.
+
+ [4] M. Horowitz. Kerberos Change Password Protocol,
+ ftp://ds.internic.net/internet-drafts/
+ draft-ietf-cat-kerb-chg-password-02.txt
+
+5. Expiration Date
+
+ This draft expires in September 2000.
+
+6. Authors' Addresses
+
+ Jonathan Trostle
+ Cisco Systems
+ 170 W. Tasman Dr.
+ San Jose, CA 95134
+ Email: jtrostle@cisco.com
+
+ Mike Swift
+ 1 Microsoft Way
+ Redmond, WA 98052
+ Email: mikesw@microsoft.com
+
+ John Brezak
+ 1 Microsoft Way
+ Redmond, WA 98052
+ Email: jbrezak@microsoft.com
+
+ Bill Gossman
+ Cybersafe Corporation
+ 1605 NW Sammamish Rd.
+ Issaquah, WA 98027-5378
+ Email: bill.gossman@cybersafe.com
+
View Lorry Controller Status