Perl question

Garrett Wollman wollman at khavrinen.csail.mit.edu
Thu Sep 22 13:10:46 EDT 2005


In article <1127406998.18435.5.camel at localizer.uta.edu>,
Digant C Kasundra <digant at uta.edu> wrote:
>Hello folks,
>
>I'm trying to find a way to authenticate a username and password pair
>regardless of whether the password is expired or not.  When using
>Authen::Krb5, if an accounts pw is expired, regardless of the password I
>use to try to get a ticket, it will give me the error that the password
>is expired.  How can I verify the username and password?

This isn't actually a Perl question.

You need to request an initial ticket for a password-changing
service, rather than the ticket-granting.  Expired users can only
request initial tickets for a service which is identified in the KDC
as being a password-changing service.

You should create a separate principal for this, so that you can
safely put that principal's key in a keytab and use it to verify the
ticket you have received.  The code you have shown does not verify the
ticket, and thus does not actually check the password.

-GAWollman

-- 
Garrett A. Wollman    | As the Constitution endures, persons in every
wollman at csail.mit.edu | generation can invoke its principles in their own
Opinions not those    | search for greater freedom.
of MIT or CSAIL.      | - A. Kennedy, Lawrence v. Texas, 539 U.S. 558 (2003)


More information about the Kerberos mailing list