[19177] in Kerberos
Re: Improved support for password/principal expiration
daemon@ATHENA.MIT.EDU (James F.Hranicky)
Fri May 2 16:38:00 2003
Date: Fri, 2 May 2003 16:36:07 -0400
From: "James F.Hranicky" <jfh@cise.ufl.edu>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Message-Id: <20030502163607.53d1d962.jfh@cise.ufl.edu>
In-Reply-To: <200305022004.h42K4hsG023177@ginger.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
On Fri, 02 May 2003 16:04:42 -0400
Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> The second sentence is the killer here. It means that key-expiration
> has double duty; it can be EITHER account expiration or password
> aging. Different implementations interpret this different ways. The
> RFC 1510 revision has similar wording. I don't really have a good idea
> what would make sense for determining account expiration, other than to
> suggest another last-req field maybe isn't a bad idea.
Hmmm...the only "application" that can really interpret it is the kgicp()
code, isn't it?
I don't really understand how the client is supposed to interpret what
the KDC means...
> Ah-ha, I had forgotten ... there is already a last-req entry allocated
> for account expiration! Password expiration has a lr-value of 6, and
> account expiration has a lr-value of 7. So there you go; you've
> already got a spot in the protocol.
Shall I code it up, or do you want to? :->
At this point, then, I don't know what to do with the key_exp field, except
ignore it I suppose.
> If you're talking about the client code, it's in 1.3 and the alpha today.
> If you mean the KDC code, it won't be in either, because 1.3 has passed
> the feature freeze. Maybe for 1.3.1, but we'll have to see. However,
> the code hooks quite nicely into kdc/kdc_util.c:fetch_last_req_info().
I believe I can patch it myself if necessary...any thoughts on running
the 1.3 code in production :-> ?
> >Ok, would this be set in kdc.conf or through kadmin?
>
> In my implementation, kdc.conf.
Ok, that's fine.
[customization of prompter]
> Seems reasonable to me.
Great.
> >I could try to code some of this up if you'd like.
>
> I think it sounds fine, but I'm not the one you have to convince, since I'm
> not part of the MIT Kerberos development team. You might want to chat
> with them (I know they're on this list, I just don't know how busy they
> are).
Ok -- does anyone on the list want me to take this over to krb5dev , or is this
discussion enough?
Jim
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
