[2095] in Kerberos_V5_Development
Re: Handling password expiration gracefully
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Mon Dec 9 12:12:18 1996
Date: Mon, 9 Dec 1996 12:12:00 -0500
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: kenh@cmf.nrl.navy.mil
Cc: krbdev@MIT.EDU
In-Reply-To: <199612080338.WAA26125@ginger.cmf.nrl.navy.mil> (message from Ken
Hornstein on Sat, 07 Dec 1996 22:38:28 -0500)
An implementation that uses the kadm5 api is clearly (to me) the right
way to start, because that api already exists and is easy to use.
OV's login program did what you describe, with the following
properties:
o It warned about upcoming password and principal expiration, with a
hard-coded warning period (five days, I think). A changeable warning
period is a field we could add to policies in a new revision.
o When the password expired, it allowed the user to change it. It did
not just run kpasswd but inlined it so that the user was only prompted
for the old password once. It also displayed a description of the
password policy as per kpasswd:
login: bjaspan
Password:
Your password has expired; you must change it now.
You are controlled by the policy "default", which ...
New password:
New password (again):
Password changed.
<normal login sequence follows>
This is what I would recommend. The KADM5 api is documented in
doc/kadm5/api-funcspec.tex in the release.
Barry
