Creating principal with +needchange and -pwexpire?

Andreas Ntaflos daff at pseudoterminal.org
Tue Nov 9 11:02:15 EST 2010 

[Apologies, I sent this message earlier but from a non-subscribed 
account of mine. I hope a moderator catches and discards it.]

Hello list, 

I am not quite new to Kerberos but never had to do much more than create 
and delete principals so I am not very experienced administrating 
Kerberos. Thus my question. I am using Ubuntu 10.04 Server, krb5-kdc and 
krb5-admin-server in version 1.8.1 (1.8.1+dfsg-2ubuntu0.3 to be exact).

Is it possible to create a new principal that requires its user to 
change the password and expires after a certain time if the user does 
not log in to change it? 

I would have thought that the following command does what I want:

kadmin.local -q "addprinc +needchange +requires_preauth \
  -pwexpire '15 minutes' -pw secret foobar"

If I understand correctly this adds a new principal foobar with password 
"secret" that should expire in 15 minutes and needs to change the 
password on the next kinit call. The "requires_preauth" seems to be set 
by the default policy and needs to be there, otherwise the principal 
cannot be authenticated.

Unfortunately the user can still log in (and is prompted to change his 
password by the system) even after the temporary password is past its 
expiration date.

Why so? Does "+needchange" take precedence over any password expiration 
date?

I want to do this because we create principals by Python scripts and 
send users the credentials by unencrypted email, including a temporary 
password. This password must be changed by the user and we don't want 
the temporary password to be valid forever if a user is too lazy to log 
in and change it in time. If it were anyone who manages to get hold of 
the email message containing the credentials could use the account. 
Minimising that risk is just good security policy although in reality 
that particular scenario is not very likely to really occur.

Thanks in advance!

Andreas
-- 
Andreas Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4

-- 
Andreas Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20101109/7b631081/attachment.bin

More information about the Kerberos mailing list