Password expiration

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Mar 10 11:03:55 EST 2003


>> I believe the _client_ support for this has been cleaned up and should
>> be better in MIT Kerberos 1.3, when it comes out (I don't know when that
>> will be).  So that is at least one important piece of the puzzle.
>
>Ok -- is the 1.3 CVS worth installing at this point?

I'm not a fan of using pre-release software in production, so I wouldn't
know.  Note that changes still need to be added to the KDC to make it
work properly.

>> >	  o If the pamified program ignores or improperly implements
>> >	    the pam conversation function once the password has expired, 
>> >	    the user gets logged in, the the password expiration time is 
>> >	    cleared (!!) from the KDC. I've seen this with sshd & kdm.
>> 
>> It gets _cleared_?  How could that happen ... the password expiration time
>> should only be cleared by a password change?
>
>*shrug* I haven't gone through all the code with gdb, but it's happened with
>two apps. I'll see if I can track down where it is. 
>
>Your reaction is the same as mine was, believe me.

You might want to check the kadmind logs to see if there is a password
change happening in there; you might be getting bitten by an errant PAM
module.  I can't really think of another explanation.

--Ken


More information about the Kerberos mailing list