[2085] in Kerberos_V5_Development
Handling password expiration gracefully
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sat Dec 7 22:38:40 1996
To: krbdev@MIT.EDU
Date: Sat, 07 Dec 1996 22:38:28 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
I've been thinking of adding better support for password aging into login.krb5
(and xdm eventually, probably).
I believe that Cygnus has said that they had support for running kpasswd in
login.krb5, and that's part of what I would want to do. However, another
part of what I would like to do would be to _warn_ the user that their
password is expiring, before it actually expires. However, I don't see
a good way to do that currently, other than open up a kadm5 connection each
time from within login or kinit, and I would like to avoid that overhead
if possible.
A way to accomplish this might be able to set a flag in the KDC that
would say "hey, this password is about to expire" (the threshold being
configurable, of course) and that flag would be returned in the TGT. If
a client program saw this flag, then it could say "Hey, your password is
about to expire" (and maybe open up a kadm5 connection to find out the
actual expiration date).
Does anyone else think this is worth doing, or have better ideas on how
to implement it?
--Ken
