password expiry for a principal

Jeffrey Altman jaltman at secure-endpoints.com
Sat Jan 26 21:04:43 EST 2008 

Why would Solaris compile with that flag?  Solaris doesn't use the login
library.  The login library is a MacOS X specific feature. 

In the current MIT sources, disabling prompting for a password
change is a run time option.  If the caller wants prompting to be
disabled they should be using the

  krb5_get_init_creds_opt_set_change_password_prompt(opt, prompt)

function to disable it.  This permits callers such as PAM that would
know how to handle prompting better on their own to do so while
permitting the Kerberos library to prompt in the default case.

Jeffrey Altman


Markus Moeller wrote:
> I checked the sources and Solaris compiles MIT Kerberos with 
> USE_LOGIN_LIBRARY and in gic_pwd.c it means it goes to cleanup without 
> password change attempt.
>
> #ifdef USE_LOGIN_LIBRARY
>         if (ret == KRB5KDC_ERR_KEY_EXP)
>                 goto cleanup;   /* Login library will deal appropriately 
> with this error */
> #endif
>
> I think this would mean pam_krb5 needs to remember the state in 
> pam_authenticate (which need to return PAM_SUCCESS) and use it in 
> pam_acct_mgmt which will then prompt. So I guess an option like 
> login_library_used for pam_krb5 on Solaris is needed.
>
> Markus
>
>
> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
> news:fn02tb$279$1 at ger.gmane.org...
>> I see now the same message. I have to check again why my initial test 
>> looked
>> OK.
>>
>> Markus
>>
>>
>> "Coy Hile" <coy.hile at coyhile.com> wrote in message
>> news:Pine.GSO.4.61.0801201153360.10312 at supergrover.coyhile.com...
>>> On Sat, 19 Jan 2008, Russ Allbery wrote:
>>>
>>>
>>> I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a
>>> principal whose password has expired, I see the following in the debug
>>> log:
>>>
>>> |Jan 20 11:52:03 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>>> cah220:
>>> attempting authentication as cah220 at COYHILE.COM
>>> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>>> cah220:
>>> krb5_get_init_creds_password: Password has expired
>>> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>>> cah220:
>>> <unknown>: exit (failure)
>>>
>>> For what it's worth, I've got the following in my pam.conf on this box:
>>>
>>> # grep sshd-kbdint pam.conf
>>> sshd-kbdint     auth requisite          pam_authtok_get.so.1
>>> sshd-kbdint     auth required           pam_dhkeys.so.1
>>> sshd-kbdint     auth required           /tmp/pam_krb5.so.1 debug
>>> sshd-kbdint     auth optional           pam_unix_auth.so.1
>>> sshd-kbdint     session required /tmp/pam_krb5.so.1 debug
>>> #
>>>
>>> Am I running into SEAM just not supporting "hey bozo, you're password is
>>> expired, change it now", or did I hork the configuration somehow.
>>>
>>> If you want, I can also provide the sshd_config.
>>>
>>> I appreciate any help you can give with this; I'm still a bit of a
>>> novice when it comes to doing anything cute.  Along the same lines, is
>>> there any way to bounce back something like "Your password is going to
>>> expire in n days" during the authentication process? (say only if n <
>>> 10).  Actually strike that.  Is there some easy way to write an app
>>> that you'd run from /etc/profile to banner that sort of information? If
>>> I were using normal UNIX auth, I could do that relatively easily using
>>> the information in the shadow file.
>>>
>>> -- 
>>> Coy Hile
>>> coy.hile at coyhile.com
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080126/28943578/attachment.bin

More information about the Kerberos mailing list