Password expiration

James F.Hranicky jfh at cise.ufl.edu
Fri Mar 7 13:21:18 EST 2003


On Fri, 7 Mar 2003 11:26:13 -0600
"Jacques A. Vidrine" <nectar at celabo.org> wrote:

> On Fri, Mar 07, 2003 at 11:31:34AM -0500, James F.Hranicky wrote:
> > Is anyone actually using the password expiration features of
> > Kerberos?
> 
> For what it's worth, the password expiration features worked
> previously with login, sshd, pam_krb5 and Heimdal on FreeBSD and
> Linux.

I've got to get Kerberos working in some reasonable fashion on 
Linux, FreeBSD, IRIX, and Solaris :-( . 

> I'd be careful here.  The Linux-PAM and Solaris PAM implementations
> interpret that pointer differently.  I know it was correct for
> Linux-PAM, and I thought that Nico had checked it out for Solaris as
> well.

I'd be greatful if anyone using Solaris would verify that the two
patches I've sent in for pam_krb5-1.0.3 (the security fix and the pointer 
bug) were useful, necessary, and sufficient.

> However, if you have time and energy, people will learn to love you
> for fixing their PAM problems :)

I'm willing to work on it more, but I'd really like some help. XDM clearly
needs more work to enable password expiration, and I'm not even sure 
that it's really feasible to have XDM 

	- alert users when the password is going to expire soon (though
	  it could be done with a 

		system("xprompt message")

          or something icky like that)

	- notify the user the password has expired, and prompt the user
	  twice more for the new password

sshd currently is having problems with password expiry due to the new privsep
code, at least as far as I can tell from the openssh list.  Right now, in 
readpassphrase(), the function does a non-blocking read to get the passphrase, 
which simply returns 0 giving two empty responses, causing chauthtok 
(?) to fail. This is after fixing a bug that prevents pamstate in 
do_pam_conversation (auth-pam.c) from ever being anything other than 
INITIAL_LOGIN. What's funny is that if you run in debug mode, you can enter in 
the new password from the terminal you're running sshd from...nifty, but
impractical :->

I don't know what's up with kdm...eeesh.

Basically, it's a huge job dealing with hundereds of lines of C I haven't 
written or fully understand as yet. It's a bit too daunting to do by myself
at work, and I really don't have much spare time for it (wife and 4
kids :->)

Who's interested in getting it all working?

<rant>

Basically, Kerberos is a great idea all in all, but the current 
implementation leaves so many I's undotted and T's uncrossed, like, say, 
the above. Of course, the above is a huge band-aid on the fact that
there are so few Kerberized clients that sysadmins are left with 
not even bothering to try to implement "proper Kerberos" . Without
password expiration, Kerberos becomes little more to me than a 
way to avoid having encrypted passwords in a password map: useful,
but less than it could be.

So, whoever's interested, work with me on fixing the above, lending real
password expiration support to however many login programs we can, then 
we can move on to Kerberizing or GSSAPI-izing mozilla and Apache :->

Then, we could work toward making Kerberized applications each do
the equivalent of a kinit, getting a ticket that can be used by other 
apps without needing people to run kinit as a standalone program at all!

Just ssh in, type your password, and voila, your TGT is now on
your local machine! Right? Now your browser can use it to access
your Kerberized web server!

</rant>

Of course, it's entirely possible I only know just enough to be 
dangerous, or more likely, annoying. Apologies for that. It just seems
that Kerberos, if done "properly" (so Mom doesn't have to know about it)
goes a long way toward making security more convenient, which is 
a good (?) thing.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------


More information about the Kerberos mailing list