[2456] in Kerberos_V5_Development
Re: Password expiration via a preauth mechanism
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Tue Jul 29 17:14:25 1997
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: krbdev@MIT.EDU
From: Marc Horowitz <marc@cygnus.com>
Date: 29 Jul 1997 17:13:18 -0400
In-Reply-To: Ken Hornstein's message of Tue, 29 Jul 1997 15:57:12 -0400
Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>> I cheated a bit on the data format; I didn't want to define a new ASN.1
>> message type (is that the right termology?), so the password expiration
>> time is encoded using the PA-ENC-TS ASN.1 message type (since it's really
>> just a timestamp). This seems at least to be the right "spirit", since
>> the emphasis is on using ASN.1 for all Kerberos data. I don't think
>> this presents any security problems, since in my implementation the
>> preauth data isn't encrypted and thus cannot be substitued for a valid
>> PA-ENC-TS message.
This is in the right spirit, mostly. Part of the ASN.1 encoding does
include an identifier of the particular message, so that the recipient
can determine if the right message was sent. The way things are now,
if the padata type was PA-ENC-TS when it should be PA-PW-EXPTIME, the
recipient might not detect this error. It's a small issue which
should probably be fixed if this is integrated.
>> Clients can decode this if they wish and present it to the user. I
>> added a new function to libkrb5, since I didn't want clients to have
>> to include k5-int.h to get all of the ASN.1 prototypes. AFAIK,
>> this doesn't affect clients that don't know about this preauth type.
Did you add code to kinit or anything else to actually decode the
message?
>> Comments? Any interest in the code?
Have you looked at the new tgt functions in kerbnet? They make using
new preauth types easier, and in cases like this, automatic for the
client. If you send me the code, I'll make a quick stab at
integrating it. Once I do this, all of the tgt clients (kinit, login,
xdm, NT gina, mac) will display a message or dialog warning the user
when the password is going to expire, without requiring any new code
in the clients. Pretty cool :-)
Marc
