[2458] in Kerberos_V5_Development
Re: Password expiration via a preauth mechanism
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Tue Jul 29 18:28:17 1997
To: Marc Horowitz <marc@cygnus.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "29 Jul 1997 17:13:18 EDT."
<t53rachv9xt.fsf@rover.cygnus.com>
Date: Tue, 29 Jul 1997 18:26:23 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>This is in the right spirit, mostly. Part of the ASN.1 encoding does
>include an identifier of the particular message, so that the recipient
>can determine if the right message was sent. The way things are now,
>if the padata type was PA-ENC-TS when it should be PA-PW-EXPTIME, the
>recipient might not detect this error. It's a small issue which
>should probably be fixed if this is integrated.
Agreed. Like I said, a lot of the ASN.1 stuff seems to be the "Here be
dragons" realm :-)
(It all of a sudden occurs to me that since the PA-ENC-TS data is encrypted
but the PA-PW-EXPTIME data is not, it would be tough to get them confused,
but I still agree it's a problem).
>>> Clients can decode this if they wish and present it to the user. I
>>> added a new function to libkrb5, since I didn't want clients to have
>>> to include k5-int.h to get all of the ASN.1 prototypes. AFAIK,
>>> this doesn't affect clients that don't know about this preauth type.
>
>Did you add code to kinit or anything else to actually decode the
>message?
Yes, it's hardcoded into kinit right now .... which is a nice segue
into the next paragraph ...
>Have you looked at the new tgt functions in kerbnet? They make using
>new preauth types easier, and in cases like this, automatic for the
>client.
Yes, I have. I just wanted to get something working for now, but I
totally agree that the tgt functions are definately the "right" way
of doing things. I guess my next task is to make a stab at integrating
the kerbnet tgt functions into my tree.
>If you send me the code, I'll make a quick stab at
>integrating it. Once I do this, all of the tgt clients (kinit, login,
>xdm, NT gina, mac) will display a message or dialog warning the user
>when the password is going to expire, without requiring any new code
>in the clients. Pretty cool :-)
I'll probably send it to you either tonight or tomorrow.
--Ken
