Improved support for password/principal expiration

Fri May 2 10:02:32 EDT 2003

I seem to recall someone telling me that even though passwd expiration
notification was broken in the 1.2.* codebase, that it had been fixed
in the 1.3.* code base? still true? 

--ray

On Fri, May 02, 2003 at 09:34:33AM -0400, James F.Hranicky wrote:
> Currently, Kerberos cannot notify users of both impending principal 
> expiration and impending password expiration due to the fact that 
> there is only one field (key_exp) in struct _krb5_enc_kdc_rep_part {}.
> 
> Looking through the code, it seems that it may be possible to add
> another field to struct _krb5_enc_kdc_rep_part (e.g. princ_exp) at 
> the end and to the asn1_encode/asn1_decode routines (as each field takes 
> a field number) without causing problems with implementations that don't 
> have this functionality. However, before I start doing anything, I'd love 
> to know from the experts if this will break existing implementations when 
> talking to a KDC modified in this way.
> 
> Otherwise, I'd be glad to add this functionality myself and send in a
> patch.
> 
> Also, if this sounds useful, would anyone be interested in some 
> modifications to krb5_g_i_c_p() that allow for more sysadmin configurability? 
> Things like these:
> 
> 	- ability to configure when warning messages are sent back. Currently,
> 	  it's seven days, but with the enhanced notification ability, I may
> 	  want to set password expiration notification to occur within a month 
> 	  of expiration, while I may set principal expiration notification to
> 	  occur a semester before the account expires to give people fair
> 	  enough warning.
> 
> 	- ability to customize the messages sent back, say, including a web
> 	  page for instructions on how to renew an account to prevent the 
> 	  principal expiration at the end of the semester.
> 
> Currently, accounts stay open by default until I expire them (3 times a
> year), but I would rather the default be than an account will expire unless 
> the user renews it. This way, old accounts don't stay open if I miss one
> :-> However, this functionality really requires that the user be well 
> informed of when the account will expire, along with the means to prevent
> the expiration. Since I plan on using password expiration as well, the 
> above modifications would probably be necessary to make such a scheme
> work well.
> 
> Thoughts?
> 
> ----------------------------------------------------------------------
> | Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
> | E314D CSE Building                            Phone (352) 392-1499 |
> | jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
> ----------------------------------------------------------------------
> 
> "Given a choice between a complex, difficult-to-understand, disconcerting
>  explanation and a simplistic, comforting one, many prefer simplistic
>  comfort if it's remotely plausible, especially if it involves blaming
>  someone else for their problems."
>                                                 -- Bob Lewis, _Infoworld_
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos