[19164] in Kerberos
Improved support for password/principal expiration
daemon@ATHENA.MIT.EDU (James F.Hranicky)
Fri May 2 09:35:29 2003
Date: Fri, 2 May 2003 09:34:33 -0400
From: "James F.Hranicky" <jfh@cise.ufl.edu>
To: kerberos@MIT.EDU
Message-Id: <20030502093433.109d1810.jfh@cise.ufl.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Currently, Kerberos cannot notify users of both impending principal
expiration and impending password expiration due to the fact that
there is only one field (key_exp) in struct _krb5_enc_kdc_rep_part {}.
Looking through the code, it seems that it may be possible to add
another field to struct _krb5_enc_kdc_rep_part (e.g. princ_exp) at
the end and to the asn1_encode/asn1_decode routines (as each field takes
a field number) without causing problems with implementations that don't
have this functionality. However, before I start doing anything, I'd love
to know from the experts if this will break existing implementations when
talking to a KDC modified in this way.
Otherwise, I'd be glad to add this functionality myself and send in a
patch.
Also, if this sounds useful, would anyone be interested in some
modifications to krb5_g_i_c_p() that allow for more sysadmin configurability?
Things like these:
- ability to configure when warning messages are sent back. Currently,
it's seven days, but with the enhanced notification ability, I may
want to set password expiration notification to occur within a month
of expiration, while I may set principal expiration notification to
occur a semester before the account expires to give people fair
enough warning.
- ability to customize the messages sent back, say, including a web
page for instructions on how to renew an account to prevent the
principal expiration at the end of the semester.
Currently, accounts stay open by default until I expire them (3 times a
year), but I would rather the default be than an account will expire unless
the user renews it. This way, old accounts don't stay open if I miss one
:-> However, this functionality really requires that the user be well
informed of when the account will expire, along with the means to prevent
the expiration. Since I plan on using password expiration as well, the
above modifications would probably be necessary to make such a scheme
work well.
Thoughts?
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
"Given a choice between a complex, difficult-to-understand, disconcerting
explanation and a simplistic, comforting one, many prefer simplistic
comfort if it's remotely plausible, especially if it involves blaming
someone else for their problems."
-- Bob Lewis, _Infoworld_
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
