Re: [kitten] Non-Password Password Change
Greg Hudson <ghudson@mit.edu> Thu, 15 October 2015 21:51 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEA8F1A6FC0 for <kitten@ietfa.amsl.com>; Thu, 15 Oct 2015 14:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eC0npsqsQwEG for <kitten@ietfa.amsl.com>; Thu, 15 Oct 2015 14:51:55 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6D11A6FAD for <kitten@ietf.org>; Thu, 15 Oct 2015 14:51:55 -0700 (PDT)
X-AuditID: 12074424-f79106d000007367-1a-56201ff9e2b0
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 6C.E7.29543.AFF10265; Thu, 15 Oct 2015 17:51:54 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t9FLpr6u032763; Thu, 15 Oct 2015 17:51:53 -0400
Received: from [18.101.8.93] (vpn-18-101-8-93.mit.edu [18.101.8.93]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t9FLpobK004240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 15 Oct 2015 17:51:52 -0400
To: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>, kitten@ietf.org
References: <63860D22-138C-430F-B615-06CBB14654CC@oxy.edu>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <56201FF6.4070902@mit.edu>
Date: Thu, 15 Oct 2015 17:51:50 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <63860D22-138C-430F-B615-06CBB14654CC@oxy.edu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixG6novtLXiHMYP4adouP9xayWBzdvIrF gcljyZKfTB5bm/4yBzBFcdmkpOZklqUW6dslcGVsP3CbqeAyZ0VvewNrA+N79i5GTg4JAROJ k53PWCFsMYkL99azdTFycQgJLGaSWHa6hwnC2cgoMfXdWkYI5yCTxLwjV9hAWoQFjCTuTH4N ZHNwiAg4SZydVQsSFhKwkvi7aBXYVDYBZYn1+7eyQGyQk+jtngRm8wqoSfw5Mw2shkVAVWLu pS6wuKhAhMSps2/ZIGoEJU7OfAIW5xSwlrgzaTFYPbOAusSfeZeYIWx5ieats5knMArOQtIy C0nZLCRlCxiZVzHKpuRW6eYmZuYUpybrFicn5uWlFuma6+VmluilppRuYgQHsIvKDsbmQ0qH GAU4GJV4eDuAgS3EmlhWXJl7iFGSg0lJlPesEFCILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO8d NqAcb0piZVVqUT5MSpqDRUmcd9MPvhAhgfTEktTs1NSC1CKYrAwHh5IE72M5oEbBotT01Iq0 zJwShDQTByfIcB6g4c9AaniLCxJzizPTIfKnGBWlxHmPgyQEQBIZpXlwveAEk8oR+4pRHOgV YV5ekFd4gMkJrvsV0GAmoMF7/suCDC5JREhJNTBaql8ySDWb+CTu+q/G3TFeJUvfach4X3jw 5LXoeYkNK3Zt277l1fPyLJH4hXsXGd+ZdnB3Fgvz0V3zJm0xZi7/4SdnN3kZo+Hdlo+n3rP0 5Ab2cd2bZrpt5zQRAYmeX89v5G5nOS0neuEYW4MA5/cSnSMNM289kf4Yk/iw9pjDKZc9b4NK +trvKLEUZyQaajEXFScCAIEIToILAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/4uKeu1LVkIhqlmk-qz8LxL-yCZ8>
Subject: Re: [kitten] Non-Password Password Change
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 21:51:57 -0000
On 10/15/2015 03:59 PM, Henry B (Hank) Hotz, CISSP wrote:
> There’s been work on improved password change protocols, but I’m not sure how much actually completed. I also remember once suggesting that loading a KDB entry from a keytab file would be useful, at least for handling cross-realm principals.
I believe the most recent work is:
https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-08
I vaguely recall an explicit decision not to continue with that work
because no one believed they were likely to implement it.
> Are there any password change protocols where you can supply the enctype and a key instead of a text password?
This is probably obvious, but any such facility allows the client to
circumvent password policies, and therefore usually require special
permissions.
I believe you are correct that in current implementations, the only way
to do that is via implementation-specific admin interfaces.
Another mode I would find interesting is one where the server makes up a
new password and tells you what it is. I don't know if it would get
much use (I've never seen passwords managed that way in any
environment), but it seems like a reasonable way to mitigate risk.
- [kitten] Non-Password Password Change Henry B (Hank) Hotz, CISSP
- Re: [kitten] Non-Password Password Change Greg Hudson
- Re: [kitten] Non-Password Password Change Henry B (Hank) Hotz, CISSP
- Re: [kitten] Non-Password Password Change D.Rogers
- Re: [kitten] Non-Password Password Change Nico Williams