[2455] in Kerberos_V5_Development
Password expiration via a preauth mechanism
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Tue Jul 29 16:05:30 1997
To: krbdev@MIT.EDU
Date: Tue, 29 Jul 1997 15:57:12 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
After a bit of head-scratching, I think I figured out how preauthentication
actually works. So anyway, I added a new preauthentication type called
KRB5_PADATA_PW_EXPTIME. This contains the time the password is going to
expire. There is a new configuration entry in the kdc.conf file called
"kdc_warn_pwexpire" that contains a delta time used to decide when to
start warning the user. For example, if you have:
kdc_warn_pwexpire = 7d 0m 0s
PADATA_PW_EXPTIME preauth data will be sent in reply to AS_REQ's when
a client's password will expire in 7 days or less.
I cheated a bit on the data format; I didn't want to define a new ASN.1
message type (is that the right termology?), so the password expiration
time is encoded using the PA-ENC-TS ASN.1 message type (since it's really
just a timestamp). This seems at least to be the right "spirit", since
the emphasis is on using ASN.1 for all Kerberos data. I don't think
this presents any security problems, since in my implementation the
preauth data isn't encrypted and thus cannot be substitued for a valid
PA-ENC-TS message.
Clients can decode this if they wish and present it to the user. I
added a new function to libkrb5, since I didn't want clients to have
to include k5-int.h to get all of the ASN.1 prototypes. AFAIK,
this doesn't affect clients that don't know about this preauth type.
Comments? Any interest in the code?
--Ken
