[2091] in Kerberos_V5_Development
Re: Handling password expiration gracefully
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Sun Dec 8 17:47:24 1996
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: krbdev@MIT.EDU
From: Marc Horowitz <marc@cygnus.com>
Date: 08 Dec 1996 17:46:33 -0500
In-Reply-To: Ken Hornstein's message of Sat, 07 Dec 1996 22:38:28 -0500
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>> However, another part of what I would like to do would be to _warn_
>> the user that their password is expiring, before it actually
>> expires. However, I don't see a good way to do that currently,
>> other than open up a kadm5 connection each time from within login
>> or kinit, and I would like to avoid that overhead if possible.
This is what OV does; the overhead was not noticeable, but a larger
environment might change that.
>> A way to accomplish this might be able to set a flag in the KDC
>> that would say "hey, this password is about to expire" (the
>> threshold being configurable, of course) and that flag would be
>> returned in the TGT. If a client program saw this flag, then it
>> could say "Hey, your password is about to expire" (and maybe open
>> up a kadm5 connection to find out the actual expiration date).
>> Does anyone else think this is worth doing, or have better ideas on
>> how to implement it? --Ken
The KDC already knows the expiration time. You could define a
tell-me-what-the-expiration-time-is preauth, and have login/xdm use
that.
Marc
