[32867] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Creating principal with +needchange and -pwexpire?

daemon@ATHENA.MIT.EDU (Andreas Ntaflos)
Tue Nov 9 12:25:11 2010

From: Andreas Ntaflos <daff@pseudoterminal.org>
To: Russ Allbery <rra@stanford.edu>
Date: Tue, 9 Nov 2010 18:20:10 +0100
In-Reply-To: <87k4kmtp5b.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Message-Id: <201011091820.11057.daff@pseudoterminal.org>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1009333895=="
Errors-To: kerberos-bounces@mit.edu

--===============1009333895==
Content-Type: multipart/signed; boundary="nextPart2587491.21RIJJxllf";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit

--nextPart2587491.21RIJJxllf
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

On Tuesday 09 November 2010 17:53:04 Russ Allbery wrote:
> Andreas Ntaflos <daff@pseudoterminal.org> writes:
> > I would have thought that the following command does what I want:
> >=20
> > kadmin.local -q "addprinc +needchange +requires_preauth \
> >=20
> >   -pwexpire '15 minutes' -pw secret foobar"
> >=20
> > If I understand correctly this adds a new principal foobar with
> > password "secret" that should expire in 15 minutes and needs to
> > change the password on the next kinit call. The "requires_preauth"
> > seems to be set by the default policy and needs to be there,
> > otherwise the principal cannot be authenticated.
> >=20
> > Unfortunately the user can still log in (and is prompted to change
> > his password by the system) even after the temporary password is
> > past its expiration date.
> >=20
> > Why so? Does "+needchange" take precedence over any password
> > expiration date?
>=20
> No, password expiration dates don't mean what you think they mean.  A
> password expiration date is the date after which the user is forced
> to change their password.  It doesn't disable the principal
> entirely.  An expired password configured via -pwexpire is exactly
> equivalent to marking the account with +needschange, so far as I can
> determine, except that +needschange is cleared completely on the
> next password change but -pwexpire dates are pushed out by the
> password expiration time from the password policy.

Interesting, I really misunderstood what password expiration dates mean.=20
Thanks for the explanation!

> I don't think there's a way to do what you want entirely
> automatically. You can set an expiration on the *principal*, but
> that isn't cleared automatically on password change; you'll need
> some process to go back and clear those expirations if the user
> changed their password.

That is unfortunate but not the end of the world. Devising such a=20
process shouldn't be too difficult, maybe using cron or at.

Anyway, thank you very much for the quick and helpful reply!

Andreas
=2D-=20
Andreas Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4

--nextPart2587491.21RIJJxllf
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAkzZgsoACgkQOXziqAkMqbS+FgCeJkdstH1LxfJZQok3qCfB7KSY
ouoAniJkD56yNhYHiMr/dhUaeloeC+rU
=B/Sh
-----END PGP SIGNATURE-----

--nextPart2587491.21RIJJxllf--

--===============1009333895==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============1009333895==--

home help back first fref pref prev next nref lref last post