Improved support for password/principal expiration

James F.Hranicky jfh at cise.ufl.edu
Fri May 2 09:34:33 EDT 2003


Currently, Kerberos cannot notify users of both impending principal 
expiration and impending password expiration due to the fact that 
there is only one field (key_exp) in struct _krb5_enc_kdc_rep_part {}.

Looking through the code, it seems that it may be possible to add
another field to struct _krb5_enc_kdc_rep_part (e.g. princ_exp) at 
the end and to the asn1_encode/asn1_decode routines (as each field takes 
a field number) without causing problems with implementations that don't 
have this functionality. However, before I start doing anything, I'd love 
to know from the experts if this will break existing implementations when 
talking to a KDC modified in this way.

Otherwise, I'd be glad to add this functionality myself and send in a
patch.

Also, if this sounds useful, would anyone be interested in some 
modifications to krb5_g_i_c_p() that allow for more sysadmin configurability? 
Things like these:

	- ability to configure when warning messages are sent back. Currently,
	  it's seven days, but with the enhanced notification ability, I may
	  want to set password expiration notification to occur within a month 
	  of expiration, while I may set principal expiration notification to
	  occur a semester before the account expires to give people fair
	  enough warning.

	- ability to customize the messages sent back, say, including a web
	  page for instructions on how to renew an account to prevent the 
	  principal expiration at the end of the semester.

Currently, accounts stay open by default until I expire them (3 times a
year), but I would rather the default be than an account will expire unless 
the user renews it. This way, old accounts don't stay open if I miss one
:-> However, this functionality really requires that the user be well 
informed of when the account will expire, along with the means to prevent
the expiration. Since I plan on using password expiration as well, the 
above modifications would probably be necessary to make such a scheme
work well.

Thoughts?

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

"Given a choice between a complex, difficult-to-understand, disconcerting
 explanation and a simplistic, comforting one, many prefer simplistic
 comfort if it's remotely plausible, especially if it involves blaming
 someone else for their problems."
                                                -- Bob Lewis, _Infoworld_


More information about the Kerberos mailing list