Improved support for password/principal expiration
James F.Hranicky
jfh at cise.ufl.edu
Fri May 2 09:34:33 EDT 2003
Currently, Kerberos cannot notify users of both impending principal
expiration and impending password expiration due to the fact that
there is only one field (key_exp) in struct _krb5_enc_kdc_rep_part {}.
Looking through the code, it seems that it may be possible to add
another field to struct _krb5_enc_kdc_rep_part (e.g. princ_exp) at
the end and to the asn1_encode/asn1_decode routines (as each field takes
a field number) without causing problems with implementations that don't
have this functionality. However, before I start doing anything, I'd love
to know from the experts if this will break existing implementations when
talking to a KDC modified in this way.
Otherwise, I'd be glad to add this functionality myself and send in a
patch.
Also, if this sounds useful, would anyone be interested in some
modifications to krb5_g_i_c_p() that allow for more sysadmin configurability?
Things like these:
- ability to configure when warning messages are sent back. Currently,
it's seven days, but with the enhanced notification ability, I may
want to set password expiration notification to occur within a month
of expiration, while I may set principal expiration notification to
occur a semester before the account expires to give people fair
enough warning.
- ability to customize the messages sent back, say, including a web
page for instructions on how to renew an account to prevent the
principal expiration at the end of the semester.
Currently, accounts stay open by default until I expire them (3 times a
year), but I would rather the default be than an account will expire unless
the user renews it. This way, old accounts don't stay open if I miss one
:-> However, this functionality really requires that the user be well
informed of when the account will expire, along with the means to prevent
the expiration. Since I plan on using password expiration as well, the
above modifications would probably be necessary to make such a scheme
work well.
Thoughts?
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
"Given a choice between a complex, difficult-to-understand, disconcerting
explanation and a simplistic, comforting one, many prefer simplistic
comfort if it's remotely plausible, especially if it involves blaming
someone else for their problems."
-- Bob Lewis, _Infoworld_
More information about the Kerberos
mailing list