Password expiration

James F.Hranicky jfh at cise.ufl.edu
Fri Mar 7 11:31:34 EST 2003 

Is anyone actually using the password expiration features of Kerberos?

I've been trying to make sure it works properly with the pam_krb5-1.0.3
package, but I've run into so many problems I'm wondering about the
feasibility of doing so:

	- I can only apparently get the pw_expiration info when running
	  krb5_get_init_creds_password or krb5_get_init_creds, not with 
	  another library function

	- requirement to patch both the krb5 libraries and the KDC to
	  get it to actually work

	- buggy pam_krb5-1.0.3 module: I just recently sent in a patch
	  that fixed a simple pointer bug in the module causing 
	  segfaults whenever the libraries returned any messages
	  (e.g., "Your password will expire...", "Your password has expired")

	- buggy PAM programs: 

	  o the PAM patch for XDM causes a segfault when the 
	    (struct pam_message **) msg argument contains more than
	    one message due to incorrect pointer dereference (derefs
	    msg[count]->msg instead of msg[0][count].msg). I fixed
	    that, but I'm getting another segfault elsewhere

	  o If the pamified program ignores or improperly implements
	    the pam conversation function once the password has expired, 
	    the user gets logged in, the the password expiration time is 
	    cleared (!!) from the KDC. I've seen this with sshd & kdm.

	  o dtlogin does inform me that my password has expired, and that
	    I need to change it now, but offers me no way to do so.

So, has anyone actually implemented password expiration in a decent fashion
for the important login facilities for their network, i.e., xdm, dtlogin,
sshd, su, xlock, etc ? My options appear to be:

	- use or hack in native Kerberos support in my apps that does the
	  right thing

	- run a script periodically that does a getprinc for all my principals
	  and sends them mail when their password is going to expire within a 
	  certain period of time
	
	- keep going down the PAM path and fix things as I find them (Anyone 
	  interested in helping?)

Thoughts?

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

"Given a choice between a complex, difficult-to-understand, disconcerting
 explanation and a simplistic, comforting one, many prefer simplistic
 comfort if it's remotely plausible, especially if it involves blaming
 someone else for their problems."
                                                -- Bob Lewis, _Infoworld_

More information about the Kerberos mailing list