Creating principal with +needchange and -pwexpire?

[Russ Allbery]

Andreas Ntaflos <daff at pseudoterminal.org> writes:

> I would have thought that the following command does what I want:

> kadmin.local -q "addprinc +needchange +requires_preauth \
>   -pwexpire '15 minutes' -pw secret foobar"

> If I understand correctly this adds a new principal foobar with password
> "secret" that should expire in 15 minutes and needs to change the
> password on the next kinit call. The "requires_preauth" seems to be set
> by the default policy and needs to be there, otherwise the principal
> cannot be authenticated.

> Unfortunately the user can still log in (and is prompted to change his 
> password by the system) even after the temporary password is past its 
> expiration date.

> Why so? Does "+needchange" take precedence over any password expiration 
> date?

No, password expiration dates don't mean what you think they mean.  A
password expiration date is the date after which the user is forced to
change their password.  It doesn't disable the principal entirely.  An
expired password configured via -pwexpire is exactly equivalent to marking
the account with +needschange, so far as I can determine, except that
+needschange is cleared completely on the next password change but
-pwexpire dates are pushed out by the password expiration time from the
password policy.

I don't think there's a way to do what you want entirely automatically.
You can set an expiration on the *principal*, but that isn't cleared
automatically on password change; you'll need some process to go back and
clear those expirations if the user changed their password.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>