Password expiration
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Mar 10 11:03:55 EST 2003
>> I believe the _client_ support for this has been cleaned up and should
>> be better in MIT Kerberos 1.3, when it comes out (I don't know when that
>> will be). So that is at least one important piece of the puzzle.
>
>Ok -- is the 1.3 CVS worth installing at this point?
I'm not a fan of using pre-release software in production, so I wouldn't
know. Note that changes still need to be added to the KDC to make it
work properly.
>> > o If the pamified program ignores or improperly implements
>> > the pam conversation function once the password has expired,
>> > the user gets logged in, the the password expiration time is
>> > cleared (!!) from the KDC. I've seen this with sshd & kdm.
>>
>> It gets _cleared_? How could that happen ... the password expiration time
>> should only be cleared by a password change?
>
>*shrug* I haven't gone through all the code with gdb, but it's happened with
>two apps. I'll see if I can track down where it is.
>
>Your reaction is the same as mine was, believe me.
You might want to check the kadmind logs to see if there is a password
change happening in there; you might be getting bitten by an errant PAM
module. I can't really think of another explanation.
--Ken
More information about the Kerberos
mailing list