Validating Users With Expired Passwords

John Hascall john at iastate.edu
Thu Jan 19 16:31:53 EST 2006 

> Bear with me...
> 
> I am a PHP programmer for a college -- I've never had to deal with Perl
> up until this moment.  We now need a web-based utility to handle users
> with expired passwords; since we use a most mangled form of
> authentication using a bloody mesh of PAM, Kerberos and Active
> Directory, my best option is to use Perl inside of a PHP page to check
> their credentials against Kerberos.
> 
> In a nutshell, I need to take a username and an expired password and
> see if that truely was the users' last pasword.  Once I'm able to
> validate the users' expired information, I already have a system in
> place that will change their password through a web-based form...  It's
> just the authentication with expired credentials that's killing.
> 
> Please understand, I've never dealt with kerberos either until this
> point -- I don't know understand how it works or the terms used to
> identify various aspects.  I've heard principal and ticket thrown
> around, but it's something that's never been explained.  If any one
> isn't busy stuffing a pencil in their eye, I'd appreciate any sample
> code or direction in this matter;  as much as I'd love to take a couple
> of weeks or so and research the topic and the language, my boss just
> wants it done now.
> 
> Thanks,
> Rob.
> 
> PS: I don't blame you if, instead of taking the time to answer this
> post, you do something more productive like devoting the morning to
> clearing out any extra belly button lint.  I know how assinine these
> types of posts can be.  My appologies.

If you present a correct but expired password to Kerberos
you will get a 'password expired' error, which is different
from the 'password incorrect' error you get if the password
is not correct (expired or not).

Normally, at this point you would not ask for the krbtgt
("ticket granting") ticket, but would ask for the "change
password" ticket instead (the server has special-case code
to give out this specific ticket even if the password is
expired).  You would then use this ticket to make the
change password request to the admin server.

I would look at the code to the kerberos library routine
krb5_get_init_creds_password() for more clues.  If your
code is organzied in such a way as to allow you to use
this routine, then a lot of the ugly work is taken care
of for you.


John

More information about the Kerberos mailing list