[33282] in Kerberos
Re: Kerberos password expiration
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Mar 22 11:59:14 2011
From: Greg Hudson <ghudson@mit.edu>
To: "claudio.prono@atpss.net" <claudio.prono@atpss.net>
In-Reply-To: <4D88B342.8060103@atpss.net>
Date: Tue, 22 Mar 2011 11:59:06 -0400
Message-ID: <1300809546.2397.721.camel@t410>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2011-03-22 at 10:33 -0400, Claudio Prono wrote:
> I have the users already working, but now how i can set a password
> expiration policy?
In MIT krb5 you'd do it like this:
1. Run kadmin or kadmin.local
2. Create a password policy with 'addpol -maxlife "90 days" polname',
where polname can be any name you want. You can make further changes to
the policy with the modpol command.
3. Associate the policy with the users with 'modprinc -policy polname
userprinc', for each user principal.
4. The next time the users change passwords, they will get a 90-day
expiry time.
5. You can set a one-time expiration for a user's current password with
'modprinc -pwexpire "90 days" userprinc'.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
