password expiry for a principal

Russ Allbery rra at stanford.edu
Thu Jan 17 23:20:39 EST 2008


Coy Hile <coy.hile at coyhile.com> writes:

> Is there any good way to make sure that a user will be prompted to change
> his password the next time he authenticates as a given principal.
>
> My first attempt was via setting the needchange flag on a test principal,
> but then I am unable to authenticate as that princpal in the first place:
>
> kadmin:  modprinc +needchange cah220
> Principal "cah220 at COYHILE.COM" modified.
> kadmin:  quit
> [22:53:31]supergrover:~ % kinit cah220
> kinit(v5): Password has expired while getting initial credentials
> [22:53:37]supergrover:~ %
>
> For what it's worth, I'm using an MIT kdc (actually SEAM).

I don't believe kinit supports prompting for password changes, but you can
still use kpasswd when the principal is marked +needchange.  A good PAM
module should currently handle this case and prompt the user to change
their password.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list