[32865] in Kerberos
Re: Creating principal with +needchange and -pwexpire?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Nov 9 11:53:20 2010
From: Russ Allbery <rra@stanford.edu>
To: Andreas Ntaflos <daff@pseudoterminal.org>
In-Reply-To: <201011091702.15941.daff@pseudoterminal.org> (Andreas Ntaflos's
message of "Tue, 9 Nov 2010 17:02:15 +0100")
Date: Tue, 09 Nov 2010 08:53:04 -0800
Message-ID: <87k4kmtp5b.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Andreas Ntaflos <daff@pseudoterminal.org> writes:
> I would have thought that the following command does what I want:
> kadmin.local -q "addprinc +needchange +requires_preauth \
> -pwexpire '15 minutes' -pw secret foobar"
> If I understand correctly this adds a new principal foobar with password
> "secret" that should expire in 15 minutes and needs to change the
> password on the next kinit call. The "requires_preauth" seems to be set
> by the default policy and needs to be there, otherwise the principal
> cannot be authenticated.
> Unfortunately the user can still log in (and is prompted to change his
> password by the system) even after the temporary password is past its
> expiration date.
> Why so? Does "+needchange" take precedence over any password expiration
> date?
No, password expiration dates don't mean what you think they mean. A
password expiration date is the date after which the user is forced to
change their password. It doesn't disable the principal entirely. An
expired password configured via -pwexpire is exactly equivalent to marking
the account with +needschange, so far as I can determine, except that
+needschange is cleared completely on the next password change but
-pwexpire dates are pushed out by the password expiration time from the
password policy.
I don't think there's a way to do what you want entirely automatically.
You can set an expiration on the *principal*, but that isn't cleared
automatically on password change; you'll need some process to go back and
clear those expirations if the user changed their password.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
