[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Pre-Expired Passwords
On Oct 3, 2005, at 7:51 PM, Buck Huppmann wrote:
> On Mon, Oct 03, 2005 at 03:52:47PM -0700, Henry B. Hotz wrote:
>> I don't know how MIT does this, but it would be nice to create some
>> new
>> principals with a "must change" status. In other words the only thing
>> they are good for is changing the password, giving them a normal
>> status
>> after that.
>
> i used to do this by setting the password-expiration to some date
> already past (e.g., 2000-01-01), which is, yes, a kludge
Should I interpret this as 1) Heimdal already supports this, or 2) MIT
already supports this (and it makes sense to add it to Heimdal)?
>> An obvious way (to me) to do this would be to special-case the AS-REQ
>> processing for kadmin/changepw so it won't fail if the principal has
>> an
>> expired password (if everything else is OK). Then the user can use
>> the
>> password change service, but nothing else.
>
> this is indeed the case, b/c the kadmin/changepw entry is set up
> with a pwchange-service attribute in the realm database and the KDC
> makes an exception for such services when determining whether to
> issue a ticket or not and finds the client's key expired
>
>> If they change their
>> password then I think the existing code would just compute a new
>> expiration date and everything becomes normal.
>
> looks like the code (i'm looking at a very old copy in OpenBSD's
> cvsweb) bumps the password expiration 365 days from the instant of
> password change by default or by the krb5.conf [kadmin]
> password_lifetime setting on the kpasswdd server
Yes. (No special case for the password being already expired, I
gather.)
Except if the expiration is already 'never', in which case it's left
alone.
> --buck
>
>>
>> Problems? Better way to do it? Heimdal already has a way to do it I
>> don't know about?
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu