[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pre-Expired Passwords

To: Buck Huppmann <buckh@pobox.com>
Subject: Re: Pre-Expired Passwords
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 4 Oct 2005 09:45:36 -0700
Cc: heimdal-discuss@sics.se
In-Reply-To: <20051004025140.GC29992@dsl092-173-085.wdc2.dsl.speakeasy.net>
References: <3845c6b416f7863af2bc68c0179adb7e@jpl.nasa.gov> <20051004025140.GC29992@dsl092-173-085.wdc2.dsl.speakeasy.net>
Sender: owner-heimdal-discuss@sics.se


On Oct 3, 2005, at 7:51 PM, Buck Huppmann wrote:

> On Mon, Oct 03, 2005 at 03:52:47PM -0700, Henry B. Hotz wrote:
>> I don't know how MIT does this, but it would be nice to create some  
>> new
>> principals with a "must change" status.  In other words the only thing
>> they are good for is changing the password, giving them a normal  
>> status
>> after that.
>
> i used to do this by setting the password-expiration to some date
> already past (e.g., 2000-01-01), which is, yes, a kludge

Should I interpret this as 1) Heimdal already supports this, or 2) MIT  
already supports this (and it makes sense to add it to Heimdal)?

>> An obvious way (to me) to do this would be to special-case the AS-REQ
>> processing for kadmin/changepw so it won't fail if the principal has  
>> an
>> expired password (if everything else is OK).  Then the user can use  
>> the
>> password change service, but nothing else.
>
> this is indeed the case, b/c the kadmin/changepw entry is set up
> with a pwchange-service attribute in the realm database and the KDC
> makes an exception for such services when determining whether to
> issue a ticket or not and finds the client's key expired
>
>> If they change their
>> password then I think the existing code would just compute a new
>> expiration date and everything becomes normal.
>
> looks like the code (i'm looking at a very old copy in OpenBSD's
> cvsweb) bumps the password expiration 365 days from the instant of
> password change by default or by the krb5.conf [kadmin]
> password_lifetime setting on the kpasswdd server

Yes.  (No special case for the password being already expired, I  
gather.)

Except if the expiration is already 'never', in which case it's left  
alone.

> --buck
>
>>
>> Problems?  Better way to do it?  Heimdal already has a way to do it I
>> don't know about?
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: Pre-Expired Passwords
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- Pre-Expired Passwords
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Pre-Expired Passwords
  - From: Buck Huppmann <buckh@pobox.com>

Prev by Date: Re: linking heimdal to an openssl library other than the one in thedefault search path.
Next by Date: Re: linking heimdal to an openssl library other than the one in thedefault search path.
Prev by thread: Re: Pre-Expired Passwords
Next by thread: Re: Pre-Expired Passwords
Index(es):
- Date
- Thread