[2465] in Kerberos_V5_Development
Re: Password expiration via a preauth mechanism
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Jul 30 15:45:55 1997
From: Sam Hartman <hartmans@MIT.EDU>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: krbdev@MIT.EDU
Date: 30 Jul 1997 14:42:49 -0500
In-Reply-To: Ken Hornstein's message of Wed, 30 Jul 1997 15:14:12 -0400
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>> I think that if you want to =specify additional information or
>> allow the warning time to be set on the KDC, it would be
>> reasonable to use preauth. However, I would expect any KDC
>> that implemented such a protocol to also include the
>> information in the KDC reply.
Ken> I'm confused, I think. The preauth data is included as part
Ken> of the KDC reply right now, in my implementation. Did you
Ken> mean something else? It's not in the krb5_enc_kdc_rep_part,
Ken> if that's what you mean.
I mean that the key-expiration time in kdc-rep (Section 5.4.2) should be filled in with the minimum of password expiration and principal expiration in any KDC that warns the client about password expiration using some other mechanism.
Ken> --Ken
