krb5 API
Dan Riley
dsr at mail.lns.cornell.edu
Fri Aug 2 18:49:07 EDT 2002
Nicolas.Williams at ubsw.com (Nicolas Williams) writes:
> Oh, yes, IIRC there was a bug in krb5_gic_pwd() that prevented the
> "Password will expire in X [time]" warning from ever being prompted.
>
> I forget the details, but I can dig it up - IIRC it was pretty obvious.
The one I reported can be found at:
http://mailman.mit.edu/pipermail/krb5-bugs/2002-February/000012.html
I was tempted to rewrite that entire if, but was trying to keep the
patches minimal.
However, there's also the issue of the meaning of key_exp field which
you've alluded to. The MIT KDC sets key_exp to the *principal*
expiration time, not the password expiration, so the prompter still
won't trigger on password expiration. We patch our kdc thusly:
--- kdc/do_as_req.c Thu Oct 25 15:27:09 2001
+++ ../../krb5/kdc/do_as_req.c Fri Dec 21 14:12:21 2001
@@ -374,7 +374,7 @@
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;
+ reply_encpart.key_exp = client.pw_expiration;
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
--
"The mere tendency of speech to encourage unlawful acts is not a
sufficient reason for banning it. [...] The right to think is the
beginning of freedom, and speech must be protected from the government
because speech is the beginning of thought." --Anthony Kennedy
More information about the Kerberos
mailing list