Creating principal with +needchange and -pwexpire?
Russ Allbery
rra at stanford.edu
Tue Nov 9 11:53:04 EST 2010
Andreas Ntaflos <daff at pseudoterminal.org> writes:
> I would have thought that the following command does what I want:
> kadmin.local -q "addprinc +needchange +requires_preauth \
> -pwexpire '15 minutes' -pw secret foobar"
> If I understand correctly this adds a new principal foobar with password
> "secret" that should expire in 15 minutes and needs to change the
> password on the next kinit call. The "requires_preauth" seems to be set
> by the default policy and needs to be there, otherwise the principal
> cannot be authenticated.
> Unfortunately the user can still log in (and is prompted to change his
> password by the system) even after the temporary password is past its
> expiration date.
> Why so? Does "+needchange" take precedence over any password expiration
> date?
No, password expiration dates don't mean what you think they mean. A
password expiration date is the date after which the user is forced to
change their password. It doesn't disable the principal entirely. An
expired password configured via -pwexpire is exactly equivalent to marking
the account with +needschange, so far as I can determine, except that
+needschange is cleared completely on the next password change but
-pwexpire dates are pushed out by the password expiration time from the
password policy.
I don't think there's a way to do what you want entirely automatically.
You can set an expiration on the *principal*, but that isn't cleared
automatically on password change; you'll need some process to go back and
clear those expirations if the user changed their password.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list