[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pre-Expired Passwords

On Oct 3, 2005, at 7:51 PM, Buck Huppmann wrote:

> On Mon, Oct 03, 2005 at 03:52:47PM -0700, Henry B. Hotz wrote:
>> I don't know how MIT does this, but it would be nice to create some  
>> new
>> principals with a "must change" status.  In other words the only thing
>> they are good for is changing the password, giving them a normal  
>> status
>> after that.
> i used to do this by setting the password-expiration to some date
> already past (e.g., 2000-01-01), which is, yes, a kludge

Should I interpret this as 1) Heimdal already supports this, or 2) MIT  
already supports this (and it makes sense to add it to Heimdal)?

>> An obvious way (to me) to do this would be to special-case the AS-REQ
>> processing for kadmin/changepw so it won't fail if the principal has  
>> an
>> expired password (if everything else is OK).  Then the user can use  
>> the
>> password change service, but nothing else.
> this is indeed the case, b/c the kadmin/changepw entry is set up
> with a pwchange-service attribute in the realm database and the KDC
> makes an exception for such services when determining whether to
> issue a ticket or not and finds the client's key expired
>> If they change their
>> password then I think the existing code would just compute a new
>> expiration date and everything becomes normal.
> looks like the code (i'm looking at a very old copy in OpenBSD's
> cvsweb) bumps the password expiration 365 days from the instant of
> password change by default or by the krb5.conf [kadmin]
> password_lifetime setting on the kpasswdd server

Yes.  (No special case for the password being already expired, I  

Except if the expiration is already 'never', in which case it's left  

> --buck
>> Problems?  Better way to do it?  Heimdal already has a way to do it I
>> don't know about?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu