password expiry for a principal
Russ Allbery
rra at stanford.edu
Thu Jan 17 23:20:39 EST 2008
Coy Hile <coy.hile at coyhile.com> writes:
> Is there any good way to make sure that a user will be prompted to change
> his password the next time he authenticates as a given principal.
>
> My first attempt was via setting the needchange flag on a test principal,
> but then I am unable to authenticate as that princpal in the first place:
>
> kadmin: modprinc +needchange cah220
> Principal "cah220 at COYHILE.COM" modified.
> kadmin: quit
> [22:53:31]supergrover:~ % kinit cah220
> kinit(v5): Password has expired while getting initial credentials
> [22:53:37]supergrover:~ %
>
> For what it's worth, I'm using an MIT kdc (actually SEAM).
I don't believe kinit supports prompting for password changes, but you can
still use kpasswd when the principal is marked +needchange. A good PAM
module should currently handle this case and prompt the user to change
their password.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list