Perl question
Garrett Wollman
wollman at khavrinen.csail.mit.edu
Thu Sep 22 13:10:46 EDT 2005
In article <1127406998.18435.5.camel at localizer.uta.edu>,
Digant C Kasundra <digant at uta.edu> wrote:
>Hello folks,
>
>I'm trying to find a way to authenticate a username and password pair
>regardless of whether the password is expired or not. When using
>Authen::Krb5, if an accounts pw is expired, regardless of the password I
>use to try to get a ticket, it will give me the error that the password
>is expired. How can I verify the username and password?
This isn't actually a Perl question.
You need to request an initial ticket for a password-changing
service, rather than the ticket-granting. Expired users can only
request initial tickets for a service which is identified in the KDC
as being a password-changing service.
You should create a separate principal for this, so that you can
safely put that principal's key in a keytab and use it to verify the
ticket you have received. The code you have shown does not verify the
ticket, and thus does not actually check the password.
-GAWollman
--
Garrett A. Wollman | As the Constitution endures, persons in every
wollman at csail.mit.edu | generation can invoke its principles in their own
Opinions not those | search for greater freedom.
of MIT or CSAIL. | - A. Kennedy, Lawrence v. Texas, 539 U.S. 558 (2003)
More information about the Kerberos
mailing list