Re: Pre-Expired Passwords

[Buck Huppmann <buckh@pobox.com>]

On Mon, Oct 03, 2005 at 03:52:47PM -0700, Henry B. Hotz wrote:
> I don't know how MIT does this, but it would be nice to create some new  
> principals with a "must change" status.  In other words the only thing  
> they are good for is changing the password, giving them a normal status  
> after that.

i used to do this by setting the password-expiration to some date
already past (e.g., 2000-01-01), which is, yes, a kludge

> 
> An obvious way (to me) to do this would be to special-case the AS-REQ  
> processing for kadmin/changepw so it won't fail if the principal has an  
> expired password (if everything else is OK).  Then the user can use the  
> password change service, but nothing else.

this is indeed the case, b/c the kadmin/changepw entry is set up
with a pwchange-service attribute in the realm database and the KDC
makes an exception for such services when determining whether to
issue a ticket or not and finds the client's key expired

> If they change their  
> password then I think the existing code would just compute a new  
> expiration date and everything becomes normal.

looks like the code (i'm looking at a very old copy in OpenBSD's
cvsweb) bumps the password expiration 365 days from the instant of
password change by default or by the krb5.conf [kadmin]
password_lifetime setting on the kpasswdd server

--buck

> 
> Problems?  Better way to do it?  Heimdal already has a way to do it I  
> don't know about?
> ------------------------------------------------------------------------ 
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
>