krb5 API

Nicolas Williams Nicolas.Williams at ubsw.com
Thu Aug 1 13:54:42 EDT 2002


Oh, yes, IIRC there was a bug in krb5_gic_pwd() that prevented the
"Password will expire in X [time]" warning from ever being prompted.

I forget the details, but I can dig it up - IIRC it was pretty obvious.

Nico

On Thu, Aug 01, 2002 at 01:13:14PM -0400, Mike Reinertsen wrote:
> The code that I'm working with does not appear to support the "prompt" that
> a password is about to expire.  At least not as far as I can tell.  I set my
> password to expire today and traced through the execution of
> krb5_get_init_creds_password() and the code that sets the prompts regarding
> password expiration is not executed.  So, the prompt parsing method does not
> seem to be an alternative as far as I can tell.  Is there another way using
> the public krb5 API that you're aware of?
> 
> Thanks.
> 
> -----Original Message-----
> From: Nicolas.Williams at ubsw.com [mailto:Nicolas.Williams at ubsw.com]
> Sent: Monday, July 29, 2002 3:54 PM
> To: mike.reinertsen at nyfix.com; kerberos at mit.edu
> Subject: RE: krb5 API
> 
> 
> 
> Indeed. The krb5_gic_pwd() API forces you to parse the prompts
> (check out prompt types) to get at that info. That's ok if you
> intend to show a user a message: just pass the prompt on to
> the user, but if you then want to give the user a chance to
> change his password right away then you have to understand
> the prompts.
> 
> Cheers,
> 
> Nico
> -- 
> 
> > -----Original Message-----
> > From: Mike Reinertsen [mailto:mike.reinertsen at nyfix.com]
> > Sent: Monday, July 29, 2002 3:32 PM
> > To: Williams, Nicolas; Mike Reinertsen; kerberos at mit.edu
> > Subject: RE: krb5 API
> > 
> > 
> > Upon closer inspection of krb5.h, you're right 
> > krb5_get_in_tkt_with_*()
> > appears to be deprecated.  The reason for my selection of it 
> > is the OUT
> > krb5_kdc_rep parameter.  This was the only way that I could 
> > deduce from
> > looking at code and headers to get an instance of 
> > krb5_kdc_rep that contains
> > krb5_kdc_rep.enc_part2->key_exp.  Is there another way?  If I 
> > follow your
> > advice and steer clear of krb5_get_in_tkt_with_*(), then I 
> > don't see another
> > way to get at an instance of krb5_kdc_rep.  It seems to be 
> > private to the
> > implementation of the krb5_get_init_creds_*() API.
> > 
> > Thanks.
> > 
> > Mike
> > 
> > -----Original Message-----
> > From: Nicolas.Williams at ubsw.com [mailto:Nicolas.Williams at ubsw.com]
> > Sent: Monday, July 29, 2002 2:37 PM
> > To: mike.reinertsen at nyfix.com; kerberos at mit.edu
> > Subject: RE: krb5 API
> > 
> > 
> > 
> > Well, technically, the key_exp field is ambiguoous and deprecated
> > - instead there's sequence field that is better suited for this
> > (LastReq - see RFC1510), but MIT krb5 doesn't support it.
> > 
> > Anyways, yes, the key_exp field is what you need - if it's set to
> > 0 then the key/password has no expiration associated with it.
> > 
> > And yes, you should use the krb5_get_init_creds_*() API instead
> > of the krb5_get_in_tkt_with_*() API. The former is newer and
> > more general.
> > 
> > Is the krb5_get_in_tkt_with_*() API deprecated? The last Kfm
> > announcement said so, but that was specific to MacOS [X]...
> > 
> > Cheers,
> > 
> > Nico
> > -- 
> > 
> > > -----Original Message-----
> > > From: Mike Reinertsen [mailto:mike.reinertsen at nyfix.com]
> > > Sent: Monday, July 29, 2002 2:15 PM
> > > To: Williams, Nicolas; Mike Reinertsen; kerberos at mit.edu
> > > Subject: RE: krb5 API
> > > 
> > > 
> > > I have looked at that code and it is not clear to me how it 
> > > works.  I tried
> > > to emulate it, but I'm calling krb5_get_in_tkt_with_password() and
> > > as_reply->enc_part2->key_exp is nil upon return from call.  
> > > In the code you
> > > refer to, as_reply->enc_part2->key_exp is used to obtain 
> > the password
> > > expiration.  Perhaps, I need to call krb5_get_init_creds?
> > > 
> > > Thanks.
> > > 
> > > -----Original Message-----
> > > From: Nicolas.Williams at ubsw.com [mailto:Nicolas.Williams at ubsw.com]
> > > Sent: Monday, July 29, 2002 12:24 PM
> > > To: mike.reinertsen at nyfix.com; kerberos at mit.edu
> > > Subject: RE: krb5 API
> > > 
> > > 
> > > 
> > > 1. Sort of, but yes. I forget the details, but take a look 
> > at how the
> > > krb5_get_init_creds_password() API's source does it.
> > > 
> > > 2. No. To access the details of password policies you need 
> > to use the
> > > kadm5 API, or, alternatively, you can try to change the 
> > > user's password
> > > and rely on the error response to include some information about the
> > > password policy.
> > > 
> > > Nico
> > > -- 
> > > 
> > > > -----Original Message-----
> > > > From: Mike Reinertsen [mailto:mike.reinertsen at nyfix.com]
> > > > Sent: Monday, July 29, 2002 12:05 PM
> > > > To: 'kerberos at mit.edu'
> > > > Subject: krb5 API
> > > > 
> > > > 
> > > > Can one get a password's expiration date using the krb5 API?  
> > > > Also, can one
> > > > get at password policies using the krb5 API?
> > > > 
> > > > Thanks.
> > > > ________________________________________________
> > > > Kerberos mailing list           Kerberos at mit.edu
> > > > http://mailman.mit.edu/mailman/listinfo/kerberos
> > > > 
> > > 
> > > Visit our website at http://www.ubswarburg.com
> > > 
> > > This message contains confidential information and is intended only 
> > > for the individual named.  If you are not the named addressee you 
> > > should not disseminate, distribute or copy this e-mail.  Please 
> > > notify the sender immediately by e-mail if you have received this 
> > > e-mail by mistake and delete this e-mail from your system.
> > > 
> > > E-mail transmission cannot be guaranteed to be secure or error-free 
> > > as information could be intercepted, corrupted, lost, destroyed, 
> > > arrive late or incomplete, or contain viruses.  The sender 
> > therefore 
> > > does not accept liability for any errors or omissions in 
> > the contents 
> > > of this message which arise as a result of e-mail transmission.  If 
> > > verification is required please request a hard-copy version.  This 
> > > message is provided for informational purposes and should not be 
> > > construed as a solicitation or offer to buy or sell any 
> > securities or 
> > > related financial instruments.
> > > 
> > 
> > Visit our website at http://www.ubswarburg.com
> > 
> > This message contains confidential information and is intended only 
> > for the individual named.  If you are not the named addressee you 
> > should not disseminate, distribute or copy this e-mail.  Please 
> > notify the sender immediately by e-mail if you have received this 
> > e-mail by mistake and delete this e-mail from your system.
> > 
> > E-mail transmission cannot be guaranteed to be secure or error-free 
> > as information could be intercepted, corrupted, lost, destroyed, 
> > arrive late or incomplete, or contain viruses.  The sender therefore 
> > does not accept liability for any errors or omissions in the contents 
> > of this message which arise as a result of e-mail transmission.  If 
> > verification is required please request a hard-copy version.  This 
> > message is provided for informational purposes and should not be 
> > construed as a solicitation or offer to buy or sell any securities or 
> > related financial instruments.
> > 
> 
> Visit our website at http://www.ubswarburg.com
> 
> This message contains confidential information and is intended only 
> for the individual named.  If you are not the named addressee you 
> should not disseminate, distribute or copy this e-mail.  Please 
> notify the sender immediately by e-mail if you have received this 
> e-mail by mistake and delete this e-mail from your system.
> 
> E-mail transmission cannot be guaranteed to be secure or error-free 
> as information could be intercepted, corrupted, lost, destroyed, 
> arrive late or incomplete, or contain viruses.  The sender therefore 
> does not accept liability for any errors or omissions in the contents 
> of this message which arise as a result of e-mail transmission.  If 
> verification is required please request a hard-copy version.  This 
> message is provided for informational purposes and should not be 
> construed as a solicitation or offer to buy or sell any securities or 
> related financial instruments.

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the Kerberos mailing list