[2469] in Kerberos_V5_Development
Re: Password expiration via a preauth mechanism
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed Jul 30 17:53:41 1997
To: Marc Horowitz <marc@cygnus.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "30 Jul 1997 17:30:45 EDT."
<t53vi1stegq.fsf@rover.cygnus.com>
Date: Wed, 30 Jul 1997 17:46:43 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>yep, you're right. easy fix, though :-) The real work is in the
>client, which is also there.
The problem with key_exp is that it's supposed to be _either_ one or
the other, so using it as a way of sending when your password is going
to expire isn't compatible with other KDC's (which is also true of the
nutty PA-PW-EXPTIME, but at least you won't get it wrong).
I suppose one could look at key_exp and then use the admin protocol
to figure out what's really up, but I'd hate to do that as that would
cause massive bloat (and it's not clear if you can even run GSS-RPC
on non-Unix platforms).
--Ken
