krb5 API

Nicolas.Williams@ubsw.com Nicolas.Williams at ubsw.com
Mon Jul 29 14:37:00 EDT 2002 

Well, technically, the key_exp field is ambiguoous and deprecated
- instead there's sequence field that is better suited for this
(LastReq - see RFC1510), but MIT krb5 doesn't support it.

Anyways, yes, the key_exp field is what you need - if it's set to
0 then the key/password has no expiration associated with it.

And yes, you should use the krb5_get_init_creds_*() API instead
of the krb5_get_in_tkt_with_*() API. The former is newer and
more general.

Is the krb5_get_in_tkt_with_*() API deprecated? The last Kfm
announcement said so, but that was specific to MacOS [X]...

Cheers,

Nico
-- 

> -----Original Message-----
> From: Mike Reinertsen [mailto:mike.reinertsen at nyfix.com]
> Sent: Monday, July 29, 2002 2:15 PM
> To: Williams, Nicolas; Mike Reinertsen; kerberos at mit.edu
> Subject: RE: krb5 API
> 
> 
> I have looked at that code and it is not clear to me how it 
> works.  I tried
> to emulate it, but I'm calling krb5_get_in_tkt_with_password() and
> as_reply->enc_part2->key_exp is nil upon return from call.  
> In the code you
> refer to, as_reply->enc_part2->key_exp is used to obtain the password
> expiration.  Perhaps, I need to call krb5_get_init_creds?
> 
> Thanks.
> 
> -----Original Message-----
> From: Nicolas.Williams at ubsw.com [mailto:Nicolas.Williams at ubsw.com]
> Sent: Monday, July 29, 2002 12:24 PM
> To: mike.reinertsen at nyfix.com; kerberos at mit.edu
> Subject: RE: krb5 API
> 
> 
> 
> 1. Sort of, but yes. I forget the details, but take a look at how the
> krb5_get_init_creds_password() API's source does it.
> 
> 2. No. To access the details of password policies you need to use the
> kadm5 API, or, alternatively, you can try to change the 
> user's password
> and rely on the error response to include some information about the
> password policy.
> 
> Nico
> -- 
> 
> > -----Original Message-----
> > From: Mike Reinertsen [mailto:mike.reinertsen at nyfix.com]
> > Sent: Monday, July 29, 2002 12:05 PM
> > To: 'kerberos at mit.edu'
> > Subject: krb5 API
> > 
> > 
> > Can one get a password's expiration date using the krb5 API?  
> > Also, can one
> > get at password policies using the krb5 API?
> > 
> > Thanks.
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> Visit our website at http://www.ubswarburg.com
> 
> This message contains confidential information and is intended only 
> for the individual named.  If you are not the named addressee you 
> should not disseminate, distribute or copy this e-mail.  Please 
> notify the sender immediately by e-mail if you have received this 
> e-mail by mistake and delete this e-mail from your system.
> 
> E-mail transmission cannot be guaranteed to be secure or error-free 
> as information could be intercepted, corrupted, lost, destroyed, 
> arrive late or incomplete, or contain viruses.  The sender therefore 
> does not accept liability for any errors or omissions in the contents 
> of this message which arise as a result of e-mail transmission.  If 
> verification is required please request a hard-copy version.  This 
> message is provided for informational purposes and should not be 
> construed as a solicitation or offer to buy or sell any securities or 
> related financial instruments.
> 

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the Kerberos mailing list