Improved support for password/principal expiration
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri May 2 16:44:33 EDT 2003
>Hmmm...the only "application" that can really interpret it is the kgicp()
>code, isn't it?
Depends on the API you're using. With krb5_get_init_creds_*(), yes.
With the old krb5_get_in_tkt() API you get the krb5_kdc_rep back as one
of the arguments, so you can peek at last_req fields or key-exp yourself
(which is what I used to do). And when I say "application", I really
mean any client code.
>I don't really understand how the client is supposed to interpret what
>the KDC means...
Heh, well, therein lies the problem :-)
>> Ah-ha, I had forgotten ... there is already a last-req entry allocated
>> for account expiration! Password expiration has a lr-value of 6, and
>> account expiration has a lr-value of 7. So there you go; you've
>> already got a spot in the protocol.
>
>Shall I code it up, or do you want to? :->
Unfortunately, I'm waaay too busy right now, so it would probably be better
coming from you.
>At this point, then, I don't know what to do with the key_exp field, except
>ignore it I suppose.
I think that's safest, personally.
>I believe I can patch it myself if necessary...any thoughts on running
>the 1.3 code in production :-> ?
I think it's a little early myself, since it is only in alpha.
>Ok -- does anyone on the list want me to take this over to krb5dev , or is this
>discussion enough?
I think maybe proposing the change on krbdev can't hurt.
--Ken
More information about the Kerberos
mailing list