Re: Password expiration (+ Doc patch)

["Henry B. Hotz" <hotz@jpl.nasa.gov>]

Doesn't do it for me.  Debugging suggestions?

Would I be better off if I init'ed the db and *then* imported my 
kaserver db, or would the import just wipe out the init?

At 1:03 PM +0100 3/17/04, Johan Danielsson wrote:
>"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>
>>  I can set an expiration date, but when I change a password the
>>  expiration gets set to 'never'.
>
>It should get set to now + 1 year or whatever is in
>[kadmin] password_lifetime.


# kadmin -l
kadmin> get hotz
                Principal: hotz@JPL.NASA.GOV
        Principal expires: never
         Password expires: never
...
                     Kvno: 47
...

kadmin> passwd hotz
hotz@JPL.NASA.GOV's Password:
Verifying password - hotz@JPL.NASA.GOV's Password:
kadmin> get hotz   
                Principal: hotz@JPL.NASA.GOV
        Principal expires: never
         Password expires: never
...
                     Kvno: 48
...

kadmin> exit
# fgrep password /etc/krb5.conf
         password_lifetime = 6m
[password_quality]

????

I note that that option is not documented in the krb5.conf man page. 
Here's a patch to add it:

diff -c krb5.conf.5.orig krb5.conf.5
*** krb5.conf.5.orig    Wed Mar 17 12:33:24 2004
--- krb5.conf.5 Wed Mar 17 13:00:16 2004
***************
*** 364,369 ****
--- 364,371 ----
   .Bl -tag -width "xxx" -offset indent
   .It require-preauth = Va BOOL
   If pre-authentication is required to talk to the kadmin server.
+ .It password_lifetime = Va time
+ Time until password expires.
   .It default_keys = Va keytypes...
   for each entry in
   .Va default_keys


Shouldn't that be ".It Li" instead of just ".It" to make [kadmin] 
look like [appdefaults]?  You can shoot me for stylistic nit-picking 
now.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu