[2471] in Kerberos_V5_Development
Re: Password expiration via a preauth mechanism
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Jul 31 12:08:25 1997
To: joda@pdc.kth.se (Johan Danielsson)
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "31 Jul 1997 02:52:55 +0200."
<xofg1swkpp4.fsf@blubb.pdc.kth.se>
Date: Thu, 31 Jul 1997 12:06:54 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>Sounds both better and easier to me, rather than using random
>ASN.1-types. Since your sequence-of decoder is broken, you might as
>well fill the required field with something useful. :-)
The more I think about it, the more I think you're right. I'll just recode
my hack to use the last_req field instead of a preauth (since both are
optional, and I won't have to play games with the ASN.1 datatypes).
>> I think that if you want to specify additional information or allow
>> the warning time to be set on the KDC, it would be reasonable to use
>> preauth. However, I would expect any KDC that implemented such a
>> protocol to also include the information in the KDC reply.
>
>Hmm, I'm not quite sure I follow. Are you suggesting that some
>information should be passed *to* the KDC?
Sam and I talked about this; he's referring to using the key_exp field
in the KDC reply. That should be a minimum of the password expiration
time and the principal expiration time. Currently in the MIT release,
it's just the principal expiration time; in KerbNet, it's the password
expiration time.
--Ken
