password expiry for a principal
Tom Yu
tlyu at MIT.EDU
Fri Jan 18 00:01:46 EST 2008
>>>>> "Russ" == Russ Allbery <rra at stanford.edu> writes:
Russ> Coy Hile <coy.hile at coyhile.com> writes:
>> kadmin: modprinc +needchange cah220
>> Principal "cah220 at COYHILE.COM" modified.
>> kadmin: quit
>> [22:53:31]supergrover:~ % kinit cah220
>> kinit(v5): Password has expired while getting initial credentials
>> [22:53:37]supergrover:~ %
>>
>> For what it's worth, I'm using an MIT kdc (actually SEAM).
Russ> I don't believe kinit supports prompting for password changes, but you can
Russ> still use kpasswd when the principal is marked +needchange. A good PAM
Russ> module should currently handle this case and prompt the user to change
Russ> their password.
A modern kinit program that uses the get_init_creds API will prompt
for a password change if the password has expired. I don't know if
the SEAM kinit is one of these, and you didn't mention which kinit
program you're using.
---Tom
More information about the Kerberos
mailing list