[32864] in Kerberos
Creating principal with +needchange and -pwexpire?
daemon@ATHENA.MIT.EDU (Andreas Ntaflos)
Tue Nov 9 11:06:41 2010
To: kerberos@mit.edu
From: Andreas Ntaflos <daff@pseudoterminal.org>
Date: Tue, 9 Nov 2010 17:02:15 +0100
MIME-Version: 1.0
Message-Id: <201011091702.15941.daff@pseudoterminal.org>
Content-Type: multipart/mixed; boundary="===============1614027963=="
Errors-To: kerberos-bounces@mit.edu
--===============1614027963==
Content-Type: multipart/signed; boundary="nextPart1589435.S48ZzF6FhW";
protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
--nextPart1589435.S48ZzF6FhW
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
[Apologies, I sent this message earlier but from a non-subscribed=20
account of mine. I hope a moderator catches and discards it.]
Hello list,=20
I am not quite new to Kerberos but never had to do much more than create=20
and delete principals so I am not very experienced administrating=20
Kerberos. Thus my question. I am using Ubuntu 10.04 Server, krb5-kdc and=20
krb5-admin-server in version 1.8.1 (1.8.1+dfsg-2ubuntu0.3 to be exact).
Is it possible to create a new principal that requires its user to=20
change the password and expires after a certain time if the user does=20
not log in to change it?=20
I would have thought that the following command does what I want:
kadmin.local -q "addprinc +needchange +requires_preauth \
-pwexpire '15 minutes' -pw secret foobar"
If I understand correctly this adds a new principal foobar with password=20
"secret" that should expire in 15 minutes and needs to change the=20
password on the next kinit call. The "requires_preauth" seems to be set=20
by the default policy and needs to be there, otherwise the principal=20
cannot be authenticated.
Unfortunately the user can still log in (and is prompted to change his=20
password by the system) even after the temporary password is past its=20
expiration date.
Why so? Does "+needchange" take precedence over any password expiration=20
date?
I want to do this because we create principals by Python scripts and=20
send users the credentials by unencrypted email, including a temporary=20
password. This password must be changed by the user and we don't want=20
the temporary password to be valid forever if a user is too lazy to log=20
in and change it in time. If it were anyone who manages to get hold of=20
the email message containing the credentials could use the account.=20
Minimising that risk is just good security policy although in reality=20
that particular scenario is not very likely to really occur.
Thanks in advance!
Andreas
=2D-=20
Andreas Ntaflos
Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
=2D-=20
Andreas Ntaflos
Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
--nextPart1589435.S48ZzF6FhW
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEABECAAYFAkzZcIcACgkQOXziqAkMqbR65gCfWp8TtUNCtu9LJuQBVHe27t67
Ag0AnR5JLD9NlAk2XsDnrcp6O2Uu30P8
=Gevr
-----END PGP SIGNATURE-----
--nextPart1589435.S48ZzF6FhW--
--===============1614027963==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1614027963==--
